A couple weeks ago, I saw a news headline somewhere about how the open source software project Audacity had been compromised as spyware, and that users who are concerned about freedom and privacy should not upgrade to version 3.
This article on ArsTechnica (purports to) debunk this scare story, but I think they arrive at a bogus conclusion. The highlighted text in the screen capture of the article below shows why.
Spyware is concerned with violating users privacy, period. It doesn’t matter whether there’s a good reason for it, or if it is legally mandated. If the software is gathering information for you, not on your behalf, and reporting it to someone else not you, without your express, informed consent, it fits the definition of spyware. Period.
The “data necessary for law enforcement” category might sound good to many people. Laws are nominally good, and law enforcement must therefore also be good, right?
Sure… Except in corrupt regimes. How might they abuse this?
A better question might be: What legitimate use might they have for this?
Audacity is vague as to exactly what data is “necessary” to provide to law enforcement.
My guess is that copyright cops want some way to track Audacity users who use Audacity in violation of copyright. Of course, there’s not really a way to know if the use of a copyrighted audio file might fall under Fair Use, and Big Copyright does not care — they are the enemy of Fair Use, unconditionally. They want to protect their interests, which means, ultimately, totalitarian-level control over all media, whether they own it or not.
But in more fantastical paranoid scenarios, law enforcement could encompass nominally “anti-terrorist” technologies that can be abused to target political enemies, minorities, etc. I don’t know that this is a thing, but depending on how vague Audacity’s project maintainers are, it could conceivably be a thing. If the perceived threat is that terrorist organizations use software to create media messages, embedding tracking data in the files to identify the computers that were used to produce it, geotag via IP address the location where those computers are, etc. is feasible, at least in principle.
Moreover, there’s little to stop evil regimes from requiring that all software must include whatever data gathering they see fit, turning computers into Big Brother boxes. We may not even be all that far from that reality as it is, given what we know about state actors and non-state actors dark influence the web and on mobile device apps.
The “telemetry” data gathering that vendors use to improve their product and see how users use their products are pretty standard by now, and most people aren’t going to be impacted by that, at least not in a negative way. But it’s a door opened a crack that enables a slippery slope of “if you can collect this, we can require you to collect what we want” so in a way telemetry features is a bit of a trojan horse. But as long as developers are transparent about what they gather, and make it opt-in, I don’t really have a problem with it.
The article does mention that these alleged spyware features are only in official builds, so if you don’t want them, you can compile the project from source and they will not be there. While good, only a very small number of people will compile a software project from source for themselves.
A colleague with an interest in IT and legal issues pointed out to me that:
As I understand it a third party like Audacity DOES have to hand over records if subpoenaed by law enforcement but DOESN’T have to *create* those records if it wasn’t going to create them anyway. E.g., if cops demand the WordPress server logs that I have, I do have to hand them over. But I don’t have to have logs at all if I don’t want to.
So no, they’re doing more than they have to to comply with the law. They could just not collect the information.
I would like to know more about this WSM Group — I googled and there’s a lot of three-letter acronym organizations that use this, but the most likely one, I would guess, could be WSM Music Group, Ltd.
According to wikipedia, they’re in Hong Kong. So, China’s oppressive laws are shaping the way “Free” (libre) software used worldwide is being developed? China is a huge IP violator and (obviously) privacy violator for its citizens, and there’s plenty of examples of Chinese electronics companies (such as Lenovo, Huawei, etc.) embedding insecure backdoors and spyware out the wazoo into consumer products.
So, no, I do not feel at all assured by any of this.