-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Recent Audacity unusable in educational environments #1232
Comments
Audacity is part of school education in Kerala. This is a breaking change for them as well |
Hey, I have a temporary, Here's one; https://github.com/temporary-audacity/audacity |
This is going to be negatively impactful for a lot of folks. Either they won't notice that they are not in compliance with your new terms or they will be forced to stop using this software as described above. It seems a trivial fix to simply allow runtime disabling of personal data collection; and more than that, it's the right thing to do. I occasionally use Audacity, but have no intention of doing so again while these terms are in place without the ability to disable. |
Not only has this been in the code from way before this GitHub issue was started, it had even been documented! |
I, as well as many other people, are aware of that option. It is hardly a complete solution. The option also predates the new privacy policy, which raises some questions about what other data is, or is going to be, collected, and whether it is optional. The answers given thus far do not at all cover my use case. |
It is unreleased software which is currently only at the alpha testing stage. And as it stands right now it is still possibly subject to change. The new Application prefs pane that Steve showed above, I only documented last week. This new feature will also be documented in the "What's New in 3.0.3" page in the Manual for 3.0.3 and will be discussed in the Release Notes. |
My apologies, but you are incorrect. It is unreleased software on GitHub, and people associated with Audacity have fortunately undertaken some effort to promote how little phoning home Audacity actually does, and its configurability. There are also the compile time flags that presently leave out most of the code necessary to phone home. I'm aware of these things as I have to compile Audacity myself. I use Linux, my distro still packages 2.4.1, and I have students and producers already sending me aup3 files for various reasons. Yet this is only half the solution, at best, and the majority of the issue remains in the unresolved component. Discussion of the configurable option without even making mention of the real problem is becoming notable as it has now happened twice. Unfortunately, I can't point a big red arrow at something that doesn't exist. I can point a red arrow at this, however:
This is good, but what we'll have is a perfectly functional app that both the parent organization of the developers and my varied compliance departments won't let me use with my students. This is a significant usability issue. Under the present circumstances, my kids quite literally could not do their homework. The checkbox could be the first thing a user sees and as big as a house, but it ultimately doesn't repair the problem. As a result of these changes to Audacity, teachers in the International Baccalaureate and Advanced Placement programs in schools near me are retooling their programs to use other (mostly proprietary) applications to meet their audio requirements. These teachers would not count as developers even if you stretched the definition to include myself. But I'm "technical," so I'm looking into it. This issue is the result, and since it does affect me I spoke to my situation. I have already had to field questions regarding the age limitation. Are teachers even prevented from using Audacity to record their students? I told them I very much doubted it, but the privacy policy is such a mess I can't answer authoritatively. Retooling the privacy notice to reinclude children as authorized users-- and perhaps some further clarification-- would go a long way toward solving the issue. |
I'm one of those not-so-technical educators referenced by Refutationalist above. I work in a diverse, mixed income district where more than 50% of our students live below the poverty line, so being able to advise the use of free programs is a huge equalizer in educational access. Not being able to use Audacity with our middle schoolers has a significant negative impact, especially in our English learners program and world language instruction. If this is not resolved to allow use by children, it will be very disappointing and further the education opportunity gap that Audacity was previously a part of closing. |
I rather have the people who currently 'own' Audacity give Audacity back to the respectful owners that know how to follow open source GDP regulations and what not. A huge chunk of the internet already have a sour mouth for Audacity over their dumb move to record information about it's users. And for what purpose? To sell it that is. |
I see the privacy policy has been updated to "draft" status until such time as the next version of Audacity is released, which is good. However, the draft still contains the age limitation and therefore this bug still exists. |
Since this is Licensed under the GPL you can type what ever you want in policy. |
@SteveDaulton how is this related? As far as I can see, the red arrow in your screenshot points to a checkbox that enables/disables update checking for Audacity. I fail to understand how this should be a trivial fix to simply allow runtime disabling of personal data collection or should make Recent Audacity usable in educational environments . Can you clarify this? |
When "Check for updates" is enabled, Audacity will periodically check to see if an updated version is available. To do this, it must connect to an online resource to see if there is a more recent version for your operating system than the one that you are using. GDPR classes this information as "personal data", and so legally requires this use to be disclosed in a privacy notice. It also specifies that a child under the age of 13 cannot give consent for the use of personal data. When "Check for updates" is NOT selected, then the app does not connect to the internet and no data is exchanged. The other case where data "may" be sent over the internet is in the eventuality of a crash (either the entire app or a component within the app). If a crash occurs, a crash report is generated locally. I have not yet seen this myself (Audacity 3.0.3 alpha has not yet crashed for me), but my understanding from looking at the code is that it goes like this:
None of this applies to any current version of Audacity as versions up to and including Audacity 3.0.2 do not have the ability to connect to the Internet. |
I have tested this on 3.0.3 Release Candidates RC1 and RC2
I also tested with clicking the No buttons. In both cases where I clicked Yes to send the reports the developers told me that both cases provided valuable debug information for them - and that's why this feature is being added. |
@SteveDaulton Thank you so much for the answer, that does clarify why this is related. I still do not entirely understand, why the online resource requires to be told information about the user's system or software version, since I thought it provides a list of available versions and the client could figure out if it can update or not. At least if I look at the implementation here: https://github.com/audacity/audacity/blob/release-3.0.3/src/update/UpdateManager.cpp simplified, as I understand it, it would do this:
I cannot see in the code that it would transmit which version of Audacity you are currently using, and what operating system you are using. Maybe I'm looking at the wrong snippet, but isn't this a simple get request (as in GET requests should only retrieve data and should have no other effect. )? Does it send another request, or are there parameters transmitted that I am overlooking? Maybe in the header? I am a bit confused, because if there are additional parameters containing user information transmitted, then I can't see why. I was trying to check the content of
So, the only thing you need to send, is the GET request and receive a generic xml, the same for anyone and everyone. The transmission of the IP address which comes with a GET request, cannot possibly be the reason for the updated privacy notice and age restriction.. right? And if this would be the case, wouldn't it be an idea to have it opt-in, and make the privacy notice appear the moment you check the box? This could possibly make people freak out less, it would explain itself and you wouldn't need to agree to a privacy notice that you are not using. For example, if you have your applications managed by a package manager (apt, pacman, yum, brew, etc). I do not really propose to do this, I guess you thought about these things long and hard. But I just love using Audacity and want to understand what exactly is going on here. |
Someone posted a partial answer to this earlier ("somewhere" in one of these recent discussions).
|
Thank you for your efforts. TL;DR: There is more information in the header about the users system, than is required for check-update functionality. It is not much, but it is there, and there is no transparent reason for it. Statements like
are technically wrong. (Since there has no reply to this post for two weeks, I must assume this is the case. You could of course, adjust the functionality in a way, that the server does need to know these details to function properly, but the following post - and common sense / logic - shows that it would be unnecessary. Again, I am happily corrected, but then, I think I'm sadly correct.). Now for the slightly longer read:
Therefore, the transmitted information about Audacity version and OS is not crucial to the functionality of checking for an update. Consequently the transmit of additional data in the User-Agent string can be seen separate from the check-update, and could ideally be a separate setting that would reflect on its function (e.g. "send data about Audacity version and operating system to Audacity"). If the setting is unchecked, Audacity could send a generic User-Agent string (e.g. just "Audacity") in, and still keep the check-update working. With this I would like to come back to the topic of @refutationalist, that recent Audacity is unusable in educational environments. This concerns me as well, since I want to teach Audacity in my class, and that a (for me) meaningless feature throws sticks between my legs, is weird. So, that's it from me. Hopefully this can give insight into how a random non-expert would analyze the situation, though I would be surprised if this post contains any information new to you. Which is why I am a bit puzzled that the findings are not completely in line with your statements before. I assume that this whole discussion is quite a lot to handle, and technical specifics can be unclear even to someone close to the development. It is possible that I misunderstand something, but I can't see what. Anyways, thank you so much for your patience and replies, I think I understand the issue now a bit better. PS: edited formatting for clarity, link to UpdateDataParser, and added TL;DL at the beginning |
The Privacy Policy has been updated to remove the restriction on use to 13+ - there is no age restriction on Audacity use |
Huh? I am now looking back after a while at this discussion, and it is puzzling. The user agent string is still generated as before, and therefore is transmitting the same information about the users system as before. It it still opt-out, which means that the privacy violation happened before you can possibly open the settings. I just downloaded the latest application and verified that this happens without asking the user for consent. quote @SteveDaulton
Since you didn't change anything technically, but removed the privacy notice... are you now illegally collecting personal data from children under the age 13 without their consent? |
My views are my own, and I am not a lawyer. |
What also changed is that crash reports no longer allow to enter comments on what happened, so the major source of PI which got saved got removed. Audacity also doesn't store any personal information, IP addresses get truncated and truncated addresses together with the remaining info isn't enough to identify an individual. Further, yes, the processing happens on the basis of legitimate interest rather than consent (§2.5 of the privacy policy). And I'm also not a lawyer. |
thanks for the answers and also I just read my own post again and the last part sounds quite aggressive. Sorry about that, I want to apologize for the tone. I have utmost respect for your work in developing this application. There is still information about the users' system transmitted while checking for the update, while it is not necessary or even used for the purpose of checking if a newer version is available. It's not a lot of information, but it is there. I have honestly no idea how and if this affecting the legal situation. As I understood legitimate interests can’t be relied on as the legal reason for data processing if there is another less intrusive way to achieve the same end, which is clearly not the case here. Though, I am definitely not a lawyer and I would like to avoid getting into a legal discussion. What bugged me, the communication about it was misleading and so far it was ignored that you can just leave the user agent string empty and achieve the same functional result. I am sure that this was not done on purpose, and the fix seems super simple to me. You could just leave away the user agent string, make it opt-in and ask for users' permission before the first connection. At least for this, it would technically solve the issue. I am not referring to the crash report by the way, just to the way that it is checked for an update. I am aware that it is possible to deactivate the automatic check for an update from within the program. This you can only do though after it has already checked for an update and transmitted the information in the first place. So, it is not possible to use the current release of Audacity without it trying to phone home and transmit the User Agent String as described above. Just to make sure this is really true I filtered network traffic with wireshark, and as you can see (and probably already know) it connects to updates.teamaudacity.org (104.26.1.108) already before I am able to click on anything. I am not happy with the way the last part of my previous post sounds, (as it literally asks for getting into a legal discussion :) ) but I'll leave it there just so that your answers make sense. I am sure you checked this is legal, but it still is uncomfortable. |
This behavior is a bug and it is fixed in the master branch. The fix will be included in the 3.1.0 release, coming in the following weeks |
We've heard a lot worse in recent months ;-) |
Audacity could, if it had wished, asked for a registration or an account to be set up in order to download the software: If you are really concerned/obsessed with not revealing your IP address even the once on initial launch you can The setting you made at step d will remain extant and unchanged unless and until you manually purge the contents of your Audacity settings folder (a hidden folder). In particular note that using Tools > Reset Configuration will NOT reset that particular setting - I QA tested that quite thoroughly. Personally I don't care too much - most things I use on t'interweb gather data about me. my phone gathers information about me - the amount that Muse gather is small in comparison to many others. |
Describe the bug
I teach introductions to broadcasting and podcasting in numerous contexts in public and private education, and I have made extensive use of Audacity. Under the new "Privacy Notice" to enable collection of app telemetry Audacity disallows use by anyone under 13 years of age. This prevents me from using the software completely-- both by the Muse Group "Notice" and by the legal requirements of the organizations I work with.
This is similar to issue #1226 but without rancor. Please keep in mind this is not merely a propaganda point in my case. Your new requirements have effectively stopped me in my tracks.
To Reproduce
Expected behavior
The app should allow runtime disabling of any statistics gathering, and the privacy notice should be updated to allow educational use.
The text was updated successfully, but these errors were encountered: