#Audacity Mess Further Muddied by Muse Group’s New Licensing Efforts – Review Geek

Earlier in July, a privacy policy update for audio editor Audacity caused a stir among community members, who cited unnecessary telemetry. Parent company Muse Group offered assurances to the contrary but has now seemingly put telemetry back on the table along with some concerning licensing issues.

Audacity’s community is concerned by the policy, as the open-source software has never required an Internet connection since it was first released. Muse Group‘s sudden addition of details regarding data collection (and data sharing) to its privacy policy was understandably concerning.

The policy update stated that Muse Group would be collecting a variety of data; most of which is commonplace—like crash reports, non-fatal error codes, user computer information, and geographical location—but some raised eyebrows, like “data necessary for law enforcement and authorities’ requests (if any).” It also added that the software is “not intended for individuals below the age of 13” and requested that people under that age “please do not use the App.” While that age may seem arbitrary, it’s not; 13 is the age under which a company will have to deal with various international child data collection laws and limitations.

The Russia-based company also dropped a shocking new Contributor License Agreement (CLA) on Audacity’s GitHub page. In it, Muse Group’s Head of Strategy, Daniel Ray, explained that all future and past contributors are bound by the agreement; this gives the company full rights and control over contributed code (including how it is or can be used). The agreement states that “contributors retain copyright to their code and are free to use it however they like,” but also that they won’t have a say in any code already merged into Audacity.

Why implement the CLA, you ask? Muse Group intends to relicense the software, moving it from GPLv2 to GPLv3, which would open it up to a wider variety of technologies and libraries that the company is interested in. For the record, it owns several popular music-centric applications, like Ultimate Guitar, MuseScore, StaffPad, Tonebridge, and MuseClass.

The CLA and relicensing efforts are all fine and dandy (and certainly not unheard of in the open-source community) and either would probably go over more or less just fine with users, but the problem lies with the fact that Ray said the company might decide to dual-license the code. This could potentially allow Muse Group to put out a separate version of Audacity under a different license. Ray cited vendor redistribution requirements (say, for Apple’s App Store) as the reason why this clause is necessary, but the statement is quite vague and could have other implications.

The new CLA also states that Muse Group can use contributor code in other closed-source products “to support the continued development of Audacity.” While the company already does this with its own code, “the CLA allows us to do it with our contributors’ code, too. This is necessary because community code and internal code often get mixed in ways that are difficult to separate later on … We cannot allow the fact that we accept contributions from the community to become a disadvantage that prevents us from using our code in other products.”

Given Audacity’s open-source nature, it’s easy to see why the CLA has caused such a ripple within the community. Tons of people have contributed to the software’s code over the years, and it would likely be a massive undertaking to get them all to sign off on these changes. However, in reply to a comment voicing such concerns on the CLA blog post, Ray emphasized that Muse Group would only need major contributors to sign off. Trivial commits (single submissions with only a few lines of code) would simply be rewritten so the company wouldn’t have to track down all original authors and get them to sign off as well.

Ray stated that the original privacy policy that was released was a mistaken draft and all of the confusion and spyware accusations were “due largely to unclear phrasing in the Privacy Policy, which we are now in the process of rectifying.” He also added some further clarification about it, saying that Audacity version 3.0.3 will only collect data like the user’s IP address, basic information regarding the user’s computer, and optional error reports. He also took measures to assure users no data will be collected for law enforcement purposes and that users can run the program offline to skirt the policy outright.

This is all a lot to process, and it’s no wonder many long-time Audacity contributors and users feel slighted and/or concerned for the software’s future. Muse Group’s retraction of its original privacy policy after the backlash—and its subsequent backpedaling and labeling it as a mistaken draft—still reads suspicious and will be hard to overlook.

Not surprisingly, some users have already forked the software into a new project, dubbed (appropriately) Tenacity. While there’s no guarantee that the project will survive or be favored over Muse’s version (or any other alternative programs), the fate of that version of the software is still up in the air. Here’s hoping it lands on its feet in one way or another.

via Hackaday