Muse Group Continues Tone Deaf Handling Of Audacity

When we last checked in on the Audacity community, privacy-minded users of the free and open source audio editor were concerned over proposed plans to add telemetry reporting to the decades old open source audio editing software. More than 1,000 comments were left on the GitHub pull request that would have implemented this “phone home” capability, with many individuals arguing that the best course of action was to create a new fork of Audacity that removed any current or future tracking code that was implemented upstream.

For their part, the project’s new owners, Muse Group, argued that the ability for Audacity to report on the user’s software environment would allow them to track down some particularly tricky bugs. The tabulation of anonymous usage information, such as which audio filters are most commonly applied, would similarly be used to determine where development time and money would best be spent. New project leader Martin “Tantacrul” Keary personally stepped in to explain that the whole situation was simply a misunderstanding, and that Muse Group had no ill intent for the venerable program. They simply wanted to get a better idea of how the software was being used in the real-world, but after seeing how vocal the community was about the subject, the decision was made to hold off on any changes until a more broadly acceptable approach could be developed.

Our last post on the subject ended on a high note, as it seemed like the situation was on the mend. While there was still a segment of the Audacity userbase that was skeptical about remote analytics being added into a program that never needed it before, representatives from the Muse Group seemed to be listening to the feedback they were receiving. Keary assured users that plans to implement telemetry had been dropped, and that should they be reintroduced in the future, it would be done with the appropriate transparency.

Unfortunately, things have only gotten worse in the intervening months. Not only is telemetry back on the menu for a program that’s never needed an Internet connection since its initial release in 2000, but this time it has brought with it a troubling Privacy Policy that details who can access the collected data. Worse, Muse Group has made it clear they intend to move Audacity away from its current GPLv2 license, even if it means muscling out long-time contributors who won’t agree to the switch. The company argues this will give them more flexibility to list the software with a wider array of package repositories, a claim that’s been met with great skepticism by those well versed in open source licensing.

License Shell Game

A little more than a week after our previous Audacity article went out, Daniel Ray, Muse Group’s Head of Strategy, dropped a new bombshell on GitHub in the form of a new Contributor License Agreement (CLA). He explained that past and future contributors would be bound by the agreement, which gives Muse Group unlimited rights over how contributed code is used and licensed. The document makes clear that the original contributor is still technically the owner of said code, and that they were free to use it in other projects, but they would have no say in its fate once folded into the Audacity project.

If there was any doubt to what Muse Group had in mind by implementing this CLA, Ray was clear that they were indeed positioning themselves to relicense the project. In the short-term they want to move Audacity from GPLv2 to GPLv3, which he explained would open up compatibility with various libraries and technologies the team had their eye on. This wouldn’t necessarily be a bad thing, and while some contributors might not have agreed with all the changes made in the later revision of the GPL, it’s unlikely the upgrade would have made too many waves.

The real trouble started when he admitted that Muse Group eventually intended to dual-license the code as well. This would mean that in some situations, and at their sole discretion, Muse Group could offer up a version of Audacity that was bound by an entirely different and yet-to-be-named license. Ray cites issues with listing GPL-licensed projects on the Apple App Store as an example of why this clause is necessary, as it would allow Muse Group to use a more permissive license to satisfy a vendor’s requirements for redistribution.

If that wasn’t enough, the FAQ for the new CLA specifically states that code contributed to Audacity may be used in future closed source projects by Muse Group:

It’s not an exaggeration to say that this is the antithesis of what the open source community, or at least the GPL, stands for. Few individuals who are looking to submit their code for inclusion to a program that’s spent more than 20 years licensed under the GPLv2 would approve of their work ending up as part of a commercial closed source project. When a commenter asked Ray how Muse Group intended to get past contributors to agree to such a document, he replied that only major contributors needed to sign off; the team decided that rewriting what he described as “trivial” contributions would be more efficient than getting the original authors to agree to the new terms.

You Must Be This Tall to Ride

While still coming to terms with the CLA, the community was further riled by the release of a draft version of Audacity’s new Privacy Policy earlier this month. This document describes an as-of-yet unimplemented telemetry system, and how the information it collects would be shared with outside parties. Of particular concern was language that said Muse Group would share “Data necessary for law enforcement, litigation and authorities’ requests (if any)” while failing to clarify the scope of the data being collected or to which authorities the company was referring. It’s worth mentioning at this point that Muse is based in Kaliningrad, Russia.

Another section of the Privacy Policy, titled simply “Minors”, explains that Audacity is not to be used by individuals under the age of 13. This clause was presumably inserted so that their proposed data collection and reporting would not run afoul of the American Children’s Online Privacy Protection Act (COPPA) and the European Union’s General Data Protection Regulation (GDPR), which limit the age at which a user can give consent to their information being used online.

Many commenters expressed concerns that Audacity’s new age requirement would mean the free tool could no longer be used in educational settings, forcing schools to find an alternative program. Others pointed out that both the GPLv2 and GPLv3 specifically forbid any limitations being placed on who can run the program. If it was Muse Group’s intent to leverage the CLA to supersede this clause of the GPL, it would be a dangerous precedent; limiting the age at which a user can run a program is a slippery slope towards other forms of discrimination, another inexcusable affront to the values of the open source community.

Squandered Trust

Just as they claimed with the botched telemetry pull request from May, the official company line is that the release of the draft Privacy Policy was a mistake, and that the final document will be revised to more closely align with the company’s goals for Audacity going forward. According to a post by Daniel Ray, once telemetry is activated in Audacity version 3.0.3, the only data that will be collected is the user’s IP address, basic information about their computer, and optionally, error reports. Despite what’s stated in the draft, he also assured users no additional data will be collected for the purposes of law enforcement, and should users wish, they can operate Audacity in an offline mode that absolves them from following the Privacy Policy altogether.

The vast differences between the draft of the Privacy Policy currently on the Audacity website and the theoretical revised version are difficult to ignore. A reasonable observer would wonder why this draft was ever publicly posted if the goal was to invalidate most of its controversial clauses in a second revision. The inescapable conclusion is that some element within Muse Group is either dangerously naive as to the realities of managing a large open source project, or more worryingly, that they’re actively trying to see how far the community can be pushed before they start to push back.

In the latter case, we may have our answer. A fork of Audacity aimed at undoing the changes being made by Muse Group, appropriately named Tenacity, has already amassed more than 4,000 stars on GitHub. Of course there’s no guarantee as to the longevity of such rebellious projects, or critically, whether or not major software repositories will eschew the upstream version in favor of “de-Mused” builds. But there’s an undeniable momentum behind it, fueled purely by the way Muse Group has bungled their interactions with the Audacity community since taking the reins just three months ago.

If this really is the beginning of a hard fork for the legendary open source audio editor, there’s no question as to who should take the blame. In the end, though, if the new Tenacity crew picks up the Audacity torch and runs with it, in a year’s time, we might find ourselves wondering what all the fuss was about.