The news was breathless, and the outrage was savage. Audacity is now spyware! Remove it immediately! Fury! Betrayal! Torches! Pitchforks!
First, a little background. Audacity is a venerable open source audio processing application that’s been around since 2000. It has a vast and devoted user base (including your humble author) and developer community. It’s one of the most recognized and recommended audio recording and editing tools for amateur audiophiles and content producers, though I’m sure there’s some penetration into the pro ranks as well, and it’s routinely rated in the top echelon of open source applications which includes other stalwarts such as LibreOffice, VLC, GIMP, and the Linux operating system itself. It’s not a minor project.
So there was some concern when it was acquired by Muse Group in April of last year. FOSS proponents are famously prickly when it comes to any perceived threat to software freedoms and in their distrust of corporate motives, and their suspicions seemed to bear fruit with an almost-immediate pull request implementing Google Analytics and Yandex telemetry functionality into the desktop application, which had never had any kind of data collection or phone-home capabilities before. The draft update to the policy notice discussing the new behavior didn’t do much to soften the message, including language such as “Data necessary for law enforcement, litigation and authorities’ requests…” and including notes that while the data will be stored in a limited fashion on Muse Group’s servers in the EEA, they may transfer it to their offices in the USA and Russia.
The reaction was swift and unforgiving. The request itself was inundated with thousands of negative votes and rage-fueled comments, and the project was forked multiple times within hours. Muse Group quickly changed course with a post from new maintainer Martin Keary promising to drop the telemetry features and attempting to respin the whole mess as a “bad communication/coordination blunder,” but the damage was already done.
This entire kerfuffle was not the result of a regulatory or compliance failure. There was no breach report, no official complaint, no data protection authority investigation. The proposed changes hadn’t even been merged back to the main branch. Muse Group communicated directly to the user and developer community what they were planning to implement, and that’s when all hell broke loose.
User trust is fragile, and it doesn’t require a big misstep to break it. I’ve seen many organizations taking very tentative steps toward privacy entirely in response to the fear of regulatory enforcement, only to lose interest when regulators weren’t immediately showing up on their doorsteps with clipboards and sledgehammers. The problem for these organizations is that privacy regulations are something of a trailing indicator for public sentiment, so being fined or clobbered with some other enforcement action isn’t always the most pressing risk. If your organization is still considering privacy as a cost of doing business, or you’re doing the absolute minimum to meet regulatory requirements in your target markets, you might wake up to discover that the real enforcers aren’t over-worked state district attorneys or European data protection authorities, but your own customers.