back to article Apologetic Audacity rewrites privacy policy after 'significant lapse in communication'

Open-source audio editor Audacity this week posted an apology on GitHub in response to the entirely predictable furore over the platform's privacy policy. An updated privacy policy accompanied the apology, in which the team insisted it had just been misunderstood, and that a look at the source would have shown its intentions …

  1. Tony J Smith

    Per their other recent headlines, let's hope that whoever made this mistake isn't a Chinese dissident that can be threatened with deportation back to China. One Mafia-esque threat a week is more than enough.

    1. This post has been deleted by its author

      1. Anonymous Coward
        Anonymous Coward

        Nope, he is in Canada and Muse Group insinuated that his right to stay there was at risk.

  2. Mike 137 Silver badge

    The new normal

    "t sounds like somebody got a bit too handsy with the copy and paste buttons, popped in some boilerplate text and sent it out into the wild world"

    Over half of the privacy "policies" we examined on our research project were just like this - boiler plate text that failed to comply with the law. Unfortunately this is not something the regulators seem particularly interested in - they concentrate on "data breaches" and unlawful mass marketing. The fundamental purpose of data protection legislation (at least in wider Europe) - to protect the human rights of data subjects - has apparently been entirely forgotten.

    However in the case of Audacity the whole issue seems to have been a case of foot and mouth disease rather than any attempt to actually infringe personal privacy.

    In general though, the big problem is consulting corporate lawyers when creating a privacy "policy". The function of the corporate lawyer is to protect the company. The purpose of data protection law is to protect the data subject. There's a bit of a conflict of interest there.

    1. jason_derp

      Re: The new normal

      "In general though, the big problem is consulting corporate lawyers when creating a privacy "policy". The function of the corporate lawyer is to protect the company. The purpose of data protection law is to protect the data subject. There's a bit of a conflict of interest there."

      I'm sure that's just an oversight that will be remedied promptly. Yep.

    2. Anonymous Coward
      Anonymous Coward

      Re: The new normal

      "The function of the corporate lawyer is to protect the company. The purpose of data protection law is to protect the data subject. There's a bit of a conflict of interest there."

      You've hit the nail on the head. While the purpose of the law is to protect human rights, the mechanism by which it intends to do so is to make compliance less expensive than non-compliance. Indeed, that is the essential mechanism behind all effective law and has been since at least the time of Hammurabi. If the company believes there's a conflict between its interests and compliance with the law, either the penalty for noncompliance is too small or the risk of being punished too low. When the law is working properly, there is no conflict: lawyers for the company will rightly advise management that their interests lie in complying with the law.

      The only remaining question is whether the 4% of turnover maximum penalty needs to be far higher or the machinery of law enforcement more vigourous. The history of piracy in the 16th and 17th centuries is instructive: when the risk of being caught was low, piracy abounded. When the risk of being caught rose, the irrational were hanged in chains and the rational, seeing their former competitors in that state, quickly opted for compliance. Penalising a corporation a mere 4% of turnover is a far cry from hanging a man in chains, but the Royal Navy was also far more effective at catching pirates than the ICO and its peers are at enforcing GDPR. Managers and corporate lawyers must be made to feel relentless pressure: that there is no escape from the law. But the penalty must also be much stiffer. They need to consider adding individual liability for these crimes, including prison time. If that's not enough, I'm quite sure that encountering one's gibbeted peer swinging over the Thames would encourage the necessary sort of reflection.

      1. elsergiovolador Silver badge

        Re: The new normal

        Given the economy of the EU runs on Keynesian principles, I'd say the purpose of GDPR is to create more bureaucracy and to create jobs that will be servicing it.

        Broken window theorem in practice.

        So many jobs for GDPR consultants, solicitors, training centres, investigators, instructors and so on.

        But has this created any value? I have my doubts.

        1. LybsterRoy Silver badge

          Re: The new normal

          I'd go for zero or negative value, unless you are part of the GDPR industry.

        2. big_D Silver badge

          Re: The new normal

          As someone who values their online privacy, I appreciate the laws and avoid companies that fail to comply with the law.

          I also block around 2.5 million tracking websites that fail to comply with the mandatory opt-in.

      2. A.P. Veening Silver badge

        Re: The new normal

        They need to consider adding individual liability for these crimes, including prison time.

        And the lawyers involved should be subject to the same individual liability with the same punishment. The real problem with all these corporate lawyers is that they get away with it. Once they start sharing the risk of their recommendations and other work, things will improve. Alternatively, we can of course always shoot all the lawyers, lot quicker.

      3. Greybearded old scrote Silver badge

        Re: The new normal

        For many companies 4% of turnover can exceed their profit margin. It's equivalent to hanging the company in chains.

        As you say, there's no appetite for enforcing the rules.

    3. Anonymous Coward
      Anonymous Coward

      Re: The new normal

      It should be a criminal offense to churn out policies etc. that don’t comply with law. Especially when it comes to a click-trough agreement between an individual and a company. Even if no one is hurt, automatic public prosecution nonetheless. Otherwise this abusive behaviour will not end.

      1. Mike 137 Silver badge

        Re: The new normal

        "It should be a criminal offense to churn out policies etc. that don’t comply with law"

        Unfortunately, in the EU/UK the law is couched in a way that allows very ineffectual fulfilment to comply with its "strict letter". Like almost all compliance management these days, it's process- rather than results based. Furthermore, the regulators are in general grossly under-resourced so they tend to concentrate on a small number of high profile cases rather than on the expensive pursuit of individual infringements of persons' human rights. The final argument I've received a couple of times from the ICO is that they're not going to take action but I have the right to take the matter to court. Of course I can do this (supposing I can afford to) without there being any need for the regulator to exist, but I'm unlikely to succeed where the regulator (the authoritative point of reference) has effectively undermined my case by declaring the matter in question as not worth their attention.

        1. ThatOne Silver badge

          Re: The new normal

          > comply with its "strict letter"

          On the other hand the "strict letter" of the law is the only thing precisely defined. Everything else is unfortunately open to creative interpretation and can (and will!) be endlessly fought over in court. That's what lawyers are paid for, finding loopholes... The letter of the law is the minimum common denominator all involved parties have to agree upon, as it is there, black on white, and can't be disputed or interpreted away.

          I agree it's sad, but remember "Justice" was never just, it's a misnomer. "Law" has always been (since Hammurabi and before) merely a set of common society rules trying to avoid utter chaos. It creates a bed of relative security and trust on which civilizations can grow.

          1. LybsterRoy Silver badge

            Re: The new normal

            Also, never forget, that in modern times the people making (ie writing) the law often have no idea about the subject they are making law about.

            Go back to Hammurabi and he (or whoever) will understand and possibly have had direct experience of the crimes being addressed.

            1. Mike 137 Silver badge

              Re: The new normal

              To quote Bismarck (1815-98)

              "people who respect the law and like sausages should not watch either being made".

        2. elsergiovolador Silver badge

          Re: The new normal

          so they tend to concentrate on a small number of high profile low hanging fruit cases rather than on the expensive pursuit of individual infringements of persons' human rights

          FTFY

        3. Anonymous Coward
          Anonymous Coward

          Re: The new normal

          > "The final argument I've received a couple of times from the ICO is that they're not going to take action but I have the right to take the matter to court."

          2 days ago was a cause of *minor* celebration for me as it was the 1st time for any of the cases I raised with ICO where they have decided to actually "do something" about the issues I highlighted.

          "our decision is that there is more work for the organisation to do.

          We have therefore raised your issues with the Chief Executive, via the Data Protection Officer, explaining that we want them to work with you to resolve any outstanding matters."

          However ICO have completly ignored my core complaint - the Privacy Notice for the NI Census in March was missing some of the information that was legally *required* to be present and it matters not if the Privacy Notice is now "fixed" as the Census is over and the org (NISRA) failed to ensure that all the required information was available to the whole NI population *at the time* that their personal data was collected (as clearly stated in the GDPR).

          If I had failed to complete the Census Form in March (citing I would do so when the Privacy Notice was legally compliant) I would have risked a fine or prosecution yet NISRA it seems will just get a "don't do it again" warning from ICO.

          This month the Electoral Office NI are doing the same thing - a once-every-10-years Electoral Canvas which people are legally obliged to submit yet the Privacy Notice for it is also not GDPR compliant. Do I refuse to fill that out this time until the Privacy Notice is fixed and risk a fine/prosecution?

          1. stiine Silver badge

            Re: The new normal

            You should arrange a meeting with the ICO and arrange to have a reporter and cameraman with you.

            1. Anonymous Coward
              Anonymous Coward

              Re: The new normal

              > "You should arrange a meeting with the ICO and arrange to have a reporter and cameraman with you."

              How exactly would a member of the public organise a meeting with the ICO? They barely communicate with people who raise cases in the first place.

              Standard practice for cases raised with ICO is:

              - raise case either using their Web form or by email

              - get automatic email acknowledgement within a few minutes (with *no* tracking reference!)

              - months later (typically 4+ months these days) get an email out of the blue with a reference number quoted telling you they're closing the case and taking no action. Often the email doesn't even mention the organisation that the case relates to (so if you have more than 1 case open with the ICO at the same time you have no idea which of the cases they're closing).

              ICO only allocates a case reference number once someone from their relevant team (i.e. "per industry sector") has a cursory glance at the case, months after it has been raised, before allocating it to a case officer. However ICO don't actually then tell you the reference number (unless you keep phoning them at intervals to ask for it) so typically the 1st time you see the reference is when you get the "case closed" email.

              The idea of ICO letting the general public arrange meeting with them? Not in this reality...

    4. Gordon 10
      Meh

      Re: The new normal

      I think you risk giving them the benefit of too much doubt. This is what the 3rd piece of assholery in quick succession from a Muse owned company.

      Fool me once. Shame on you. Fool me twice -shame on me.

    5. big_D Silver badge

      Re: The new normal

      It seems most companies write policies based on their own HQ jurisdiction and often don't consult or don't listen to local lawyers.

      Even Apple got caught out with OS X retail boxed sets in Germany. They tried to sue users who bought the retail box and installed it on home-build PCs. It didn't go very well, the court pointed out that the terms and conditions regarding installing it on Apple branded devices was inside a shrink-wrapped box, which the purchaser couldn't read at or before the point of sale, therefore the terms and conditions were null and void - under German consumer law, you cannot apply any additional terms and conditions not known at the point of sale / point of sign up (contracts or online services).

  3. Sparkus

    any new project forks?

    new forks might put pause into Muse to stop messing around.....

    1. Anonymous Coward
      Anonymous Coward

      Re: any new project forks?

      I think the current plan is to spam their telemetry service with nonsense. Seems only fair - they want to collect it, we provide it.

    2. Pascal Monett Silver badge
      Windows

      Re: any new project forks?

      I think that, with the amount of forks already in existence, Muse can continue doing whatever it wants, it no longer makes any difference.

      Muse made the mistake of confusing Open Source with My Private Data-Gathering Platform.

      Open Source is not going to forget.

    3. Greybearded old scrote Silver badge

      Re: any new project forks?

      Hopefully somebody can fork it without the 4chan 4kerks noticing.

      1. Greybearded old scrote Silver badge
        FAIL

        Re: any new project forks?

        Damn, 10 minute window was up before I spotted the typo in '4chan 4kers.'

  4. teknopaul

    the mechanics of data transmission and storage

    I.e. they have no plans to remove the phone home features that everyone objects to.

    1. Alumoi Silver badge

      Re: the mechanics of data transmission and storage

      So what? There' s a little thing called a firewall that can take care of that.

  5. Will Godfrey Silver badge
    FAIL

    The thing is...

    Once you've lost trust, it takes a long time to restore it.

    Veiled threats to Chinese dissidents doesn't exactly help, even if they were ham-fisted mistakes. There are better ways to get compliance, and in that other case Muse were considerably at fault for providing unsecured access to copyright material.

    1. Anonymous Coward
      Anonymous Coward

      Re: Once you've lost trust, it takes a long time to restore it.

      methinks those that put trust in those that broke that already broke it, are careless or naive at best. I mean, how many broken promises does it take for people to get THE message?

      1. ThatOne Silver badge
        Devil

        Re: Once you've lost trust, it takes a long time to restore it.

        > how many broken promises does it take for people to get THE message?

        Come on, a shiny bauble and everything is forgotten and forgiven. Not to mention that a crowd's collective memory has over and over again proven itself to be astonishingly short, as short as a crowd's attention span.

        IMHO don't count on it ever happening. If they lay low for a while, in 6 months everything is forgotten and forgiven, and they know it...

  6. Adair Silver badge

    Let's take the following at face value...

    'The wording has also been updated to emphasise that no additional data is being collected for law enforcement purposes and that no personally identifiable information is being stored.'

    1. '...no additional data is being collected for law enforcement purposes...' - so data is being stored (where: locally/uploaded?) and this pre-existing data collection is/maybe being used for law enforcement purposes.

    2. '...no personally identifiable information is being stored.' - so, as above, information is being stored (where, and for what purpose, etc.?); and is not 'personally identifiable', i.e. Trust us on this.

    Now call me paranoid, but what is bumpf like this actually worth, given the realities of corporate and personal behaviour we are exposed to on a daily basis?

    Maybe Muse have made a straight up and monumental PR cock up of things, maybe they are just not very practised at being dishonest, maybe... - who knows?

    What we do know is that once upon a time, in a more innocent age, 'Audacity' was just audio editing software that went about it's business on a local machine in a pretty usable kind of way, i.e. it wasn't crap. And that was about all there was, and needed, to be said.

    1. Anonymous Coward
      Anonymous Coward

      Re: Let's take the following at face value...

      "Now call me paranoid, but what is bumpf like this actually worth, given the realities of corporate and personal behaviour we are exposed to on a daily basis?"

      There's also the fact that Muse is in Russia, which will happily thumb its nose at any attempt to enforce European law against its resident corporations. In other words, no matter what they claim, you can't rely on it because there's no real incentive to comply with their own policy. If a European court were to find against Muse and then make noise about enforcing penalties against Russian assets in the EU, Putin will threaten to turn off your gas and your politicians will put in a quiet word to the judge; that will be the end of it. Therefore if you use software from Russia, they can take whatever they want and do whatever they want with it. If you don't like that, don't use it. The back and forth over words on a page is mere theatre.

    2. 142

      Re: Let's take the following at face value...

      They do state elsewhere in the document that the only data now transmitted/stored is the ip address for auto-update requests, which isn't included in the linux builds, and can be disabled in the windows one.

      It should be relatively trivial to verify if this is the case.

      I have absolutely no confidence they won't pull more bullshit again next week, but it does seem that at least for now, it's a reasonable rollback.

  7. elsergiovolador Silver badge

    Non-apology apology

    Textbook example.

    "We are sorry that you didn't understand what we are up to, stupid."

    Can this sink any lower?

    1. Anonymous Coward
      Anonymous Coward

      Re: Non-apology apology

      Yes, it can and probably will.

      Eventually, the process of constant crisis management will take it's toll, and the company will stop intentionally doing things that trigger a tidal rage. The problem is that they will then go on to do several more by accident before the learning sets in, or the project gets spun off.

      A couple years of hard work and fence mending and the forks could move back, but a few more faceplants will probably happen first.

  8. eldakka

    "After extensive further consultation with our lawyers, we have determined that this provision is unnecessary given the actual mechanics of data transmission and storage. The provision had been included out of an abundance of cautionincompetence, but in the end turned out not to be required."

    Fixed that for them.

  9. marcellothearcane
    FAIL

    Dual license...

    They say "examine the code", but that doesn't count for anything, since with a dual license they aren't releasing the code from their binaries - that's how they're hiding the telemetry nonsense and goodness knows what else.

  10. jonathan keith

    Has anyone told Muse that their horse is dead and they can stop flogging it now?

    1. A.P. Veening Silver badge

      Why should anyone? They may switch to a another (still living) horse.

  11. Anonymous Coward
    Anonymous Coward

    347578th time

    lucky? :(

  12. veti Silver badge

    "... improve our processes for releasing any information"

    In other words, engineers are no longer writing public-facing documentation themselves.

    Result, I'd say. Engineers in my experience hate doing that, and they suck at it anyway. I wouldn't be surprised to learn that they sometimes put these little bombshells in on purpose to persuade their employers to give the job to someone else.

  13. 89724102172714182892114I7551670349743096734346773478647892349863592355648544996312855148587659264921

    > Apologetic Audacity

    They're not apologetic - they're audacious... mindless hypnotised automatons constantly triggered by the product name

  14. Anonymous Coward
    Anonymous Coward

    Muse

    Mute

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like