> This leaves the last row—"data necessary for law enforcement, litigation and authorities' requests (if any)." While that's certainly a broad category and not particularly well-defined, it's also a fact of life in 2021.
On web services, which don't have access to your whole machine. Also perhaps in closed-source software, which many FOSS users use nothing of.
FOSS doing the same is pretty far from fact of life in 2021.
It’s standard legal boilerplate to say “if we do get a request in the form of a warrant, we will follow the law and comply.” Despite the common reading, it does not mean “we collect data we can hand over to law enforcement.”
> it does not mean “we collect data we can hand over to law enforcement.”
That's exactly what it says. The part of the privacy policy in discussion is about what they collect, not what they do with data they collect for other reasons.
That's very different from the standard boilerplate, specially for a locally running program.
Just because it has access to your whole machine doesn't mean it's going to convert into spyware and start keylogging you. It's open-source, you can audit what it's capable of. It sends very specific telemetry data home, and I think that's what this document covers.
It's an unfortunate catch-22 really. The best way to improve your program's performance is to collect telemetry, but that opens the door to law enforcement asking for the telemetry data, and you also need (IANAL) to provide a scary privacy policy like this.
If this data has value, and you are requiring your users to provide it, that makes your software transactional in its nature, and not FOSS.
If the data you are collecting is useful to law enforcement, for prosecuting an individual, you aren't anonymizing it enough.
The simple response to any law enforcement request should be simple, "We have no way of providing you with data identifiable to an individual."
FOSS has existed for decades without telemetry, it isn't needed to make good software, the convenience of it shouldn't come at the risk to your users, and should not represent a commercial benefit that is required from them to provide to you for use of your product.
It's simple, and the rest of these justifications is noise.
You really need some skills to comprehensively track down all the telemetry and successfully remove it. I'm happy folks are out there intending to do this, but its also going to provide for multiple forks probably, and now you have to trust them also.
Its just a stupid move that rightly gives the "muse" guys a PR stink.
> Just because it has access to your whole machine doesn't mean it's going to convert into spyware and start keylogging you.
Never said it meant that. The problem is not with the existence of locally-run programs.
The problem is with outright saying (in the second row, first column of the table in the privacy policy) that they'll collect whatever they feel necessary for whatever requests come in.
As an example of how the privacy policy is worded, if a request comes in to know everything you typed between datetime A and datetime B, they would have to keylog in order to obtain the "Data necessary for law enforcement, litigation and authorities' requests".
The reasonable, standard way to comply with the law would be to instead take the content of column 2 and 3 of row 2 and put them in column 2 and 3 of row 1, and delete column 1 of row 2.
IOW, you collect data for the reasonable operation of your business, and you provide access to that data to authorities when given a warrant. You don't just say you'll collect whatever is requested of you.
> It sends very specific telemetry data home, and I think that's what this document covers.
No, that's part of what the document covers. Specifically, it's what the first row of the table in the privacy policy covers.
But the problem is not the first row; it's the second.
I think you're reading it too literally. There are real-world considerations outside of the fantasy world of legalese. They can only collect data that they specifically read using code. The code is open-source. So they need to either build a keylogger right into their public source, or send you a special update that adds a keylogger before the fact.
Certainly there's little to no practical risk in this particular case, but that doesn't make the policy ok. It would really suck if accepting this signaled that it's ok to make such policies for closed-source software, for example, eventually leading to the legitimizing and normalization of keyloggers and/or other spyware-like behavior under the excuse that law enforcement may eventually want it.
What really irks here is saying that such a policy is normal now and therefore ok, when it's obviously a large new overreach.
The response that it's OK if they say they'll behave like spyware because there's little chance they'll succeed also irks.
But worse are the multiple people saying that people can't recognize a standard policy boilerplate when it obviously is not.
If we're being really generous, it's possible that the current wording was not intended to mean what it says, but that also doesn't make it ok.
Yes. For example, Adobe's[1] which describes the policy for Photoshop and their other apps describes what specific data they may collect which is all related to the operation of their apps and services, and then they say they may provide it to authorities on request.
I've never seen a privacy policy be as vague and overreaching as Audacity's.
"For what it's worth, I forked Audacity yesterday and removed all telemetry that could potentially spy on users from the codebase. We're currently deciding on a nice rebranded name (as Audacity is trademarked) and are in the process of founding a GitHub organization afterwards. We're also looking for maintainers that could help with Windows and MacOS builds. The repo's link is (for now):" https://github.com/cookiengineer/audacity
18 comments
[ 165 ms ] story [ 379 ms ] threadhttps://news.ycombinator.com/item?id=27741910 [Audacity fork without any sentry telemetry or crash reporting]
On web services, which don't have access to your whole machine. Also perhaps in closed-source software, which many FOSS users use nothing of.
FOSS doing the same is pretty far from fact of life in 2021.
That's exactly what it says. The part of the privacy policy in discussion is about what they collect, not what they do with data they collect for other reasons.
That's very different from the standard boilerplate, specially for a locally running program.
It's an unfortunate catch-22 really. The best way to improve your program's performance is to collect telemetry, but that opens the door to law enforcement asking for the telemetry data, and you also need (IANAL) to provide a scary privacy policy like this.
If the data you are collecting is useful to law enforcement, for prosecuting an individual, you aren't anonymizing it enough.
The simple response to any law enforcement request should be simple, "We have no way of providing you with data identifiable to an individual."
FOSS has existed for decades without telemetry, it isn't needed to make good software, the convenience of it shouldn't come at the risk to your users, and should not represent a commercial benefit that is required from them to provide to you for use of your product.
It's simple, and the rest of these justifications is noise.
Its just a stupid move that rightly gives the "muse" guys a PR stink.
Never said it meant that. The problem is not with the existence of locally-run programs.
The problem is with outright saying (in the second row, first column of the table in the privacy policy) that they'll collect whatever they feel necessary for whatever requests come in.
As an example of how the privacy policy is worded, if a request comes in to know everything you typed between datetime A and datetime B, they would have to keylog in order to obtain the "Data necessary for law enforcement, litigation and authorities' requests".
The reasonable, standard way to comply with the law would be to instead take the content of column 2 and 3 of row 2 and put them in column 2 and 3 of row 1, and delete column 1 of row 2.
IOW, you collect data for the reasonable operation of your business, and you provide access to that data to authorities when given a warrant. You don't just say you'll collect whatever is requested of you.
> It sends very specific telemetry data home, and I think that's what this document covers.
No, that's part of what the document covers. Specifically, it's what the first row of the table in the privacy policy covers.
But the problem is not the first row; it's the second.
What really irks here is saying that such a policy is normal now and therefore ok, when it's obviously a large new overreach.
The response that it's OK if they say they'll behave like spyware because there's little chance they'll succeed also irks.
But worse are the multiple people saying that people can't recognize a standard policy boilerplate when it obviously is not.
If we're being really generous, it's possible that the current wording was not intended to mean what it says, but that also doesn't make it ok.
I've never seen a privacy policy be as vague and overreaching as Audacity's.
[1] https://www.adobe.com/privacy/policy.html
See also, https://www.darkaudacity.com/