Popular free audio editing tool Audacity has quietly updated its terms and conditions so that it can sell user data to third-party companies and share it “with our main office in Russia”.
The update, which happened on 2 July 2021, means that Audacity will now collect information about users’ operating system, their country (through their IP address), their CPU, and any other data “necessary for law enforcement, litigation and authorities’ requests”.
For “a calendar day”, IP addresses will be “stored in an identifiable way” before being hashed or made anonymous; however, an unencrypted address could be a pathway to finding a users’ name, phone number, and address, the geolocation of the computer, and in some cases further personal characteristics including “political inclinations, state of health, sexuality, [and] religious sentiments”, according to a study conducted in 2013 by the Office of the Privacy Commissioner of Canada.
Audacity will share this personal data with its staff and law enforcement and government agents, or “other third party where we believe disclosure is necessary” as well as “potential buyer[s] … in connection with any proposed purchase, merger, or acquisition”.
Users’ personal data is stored on servers in the European Economic Area, but Audacity says that it is “occasionally required to share your personal data with our main office in Russia and our external counsel in the USA”. It says that personal data “receives an adequate level of protection in accordance with the GDPR.”
Audacity also forbids users under the age of 13 from using it. “If you are under 13 years old, please do not use the App”, the new terms and conditions state; however, this appears to be in conflict with its GPL license, which states that software must be available for free to all users.
Muse Group, which purchased Audacity in May 2021, did not respond to a request for comment from The Independent before time of publication.
“It is no wonder that the latest update is being likened to spyware with the volume of data being acquired from customers. The recent sale of the software highlights how customer data is increasingly more important to software owners and it reflects the true business model of many companies”, Jake Moore, Cybersecurity Specialist at global cybersecurity company ESET, told The Independent.
“When they share, analyse and profit from personal data collection, companies take a gamble that they will only lose a small number of accounts owned by privacy conscious users. The more people realise how important it is to keep limit the sharing of their sensitive information, the more companies will be forced into thinking twice when taking such data.”