Audacity clarifies privacy policy over spyware allegations

The first version of the privacy policy mentioned sharing data with potential buyers, governments and law enforcement

Popular open-source audio-editing software Audacity has promised to revise its privacy policy, following allegations that it is being transformed into 'spyware'.

The free tool has over 100 million users worldwide, mostly music and podcast editors.

In April 2021, Muse Group, which is headquartered in Russia, purchased the app. Now Audacity has published a revised privacy policy, stating that it collects 'very limited data' about users. The data could be shared with potential buyers, staff members, advisers, auditors, legal representatives of the company, regulators and law enforcement agencies.

The policy also says the company could share users' data with Russia-based infrastructure firm WSM, although it claims that the data collected is 'very limited' and does not include 'direct identifiers' like user names or contact details. Users' real IP addresses are stored on Audacity's servers for 24 hours before they are hashed.

The updated policy page restricts children under the age of 13 from using the software. Allowing children to use the app violated the software's General Public License (GPL), the company said.

All these changes have led to claims that the software is becoming 'spyware'. Many users on Reddit and GitHub called to uninstall Audacity or revert to an older version.

Tech website Fosspost, which was among the first to report on the issue, wrote that 'one would not expect an offline desktop application to be collecting such data, phoning home and then handing that data to governments around the world whenever they see fit'.

Muse Group is now attempting to clear up the controversy, and says the confusion is down to poor wording in the Privacy Policy.

'We believe concerns are due largely to unclear phrasing in the Privacy Policy, which we are now in the process of rectifying,' the company said.

It added that it only collects very limited data from users, including their processor type, OS version, IP address and opt-in error reports. Users' IP addresses are stored in a readable format for 24 hours before they become 'pseudonymised and irretrievable'.

The company said that it won't share user data following a law enforcement request nor sell it to third parties.

The information will be shared only when required by a court in a jurisdiction in which it operates, it added.

'We do understand that unclear phrasing of the Privacy Policy and lack of context regarding introduction has led to major concerns about how we use and store the very limited data we collect,' Audacity said.

'We will be publishing a revised version shortly.'

The company also said that the updated policy will not actually come into effect until the next release of Audacity (version 3.0.3). The current version does not support data collection of any kind.