Kyle Rankin

Kyle Rankin

Chief Security Officer
PGP ID: 0xB9EF770D6EFE360F
Fingerprint: 0DFE 2A03 7FEF B6BF C56F73C5 B9EF 770D 6EFE 360F
Librem Social
Kyle Rankin

Many people accept that free software tends to protect your privacy better than proprietary alternatives, but they may not understand why that is. This week’s news about the Audacity project adding telemetry and the public outcry is a perfect test case to explore why free software means better privacy. If you haven’t been following the story, this piece in The Register provides a good summary. In short, Audacity (audio editing software) published a pull request to add telemetry about their users as an opt-in feature to a future release. The free software community largely balked at this change and started a debate over the change inside the pull request.

To better understand why free software protects your privacy more than proprietary software, let’s contrast a few key points in this story with how it would play out with a proprietary counterpart.

 

The Change Was Caught Before It Was Merged

One of the first things to notice is that because free software development is done out in the open, this telemetry feature wasn’t discovered after users updated their software, but instead was discovered before it was merged. Not only could users see that telemetry was being added, they could see exactly what data was going to be shared. This immediately opened up the change to discussion in the community where they started explaining why they didn’t want the change. The developers then had to justify and explain the change because there isn’t just the threat that a user will switch to a competing product, there’s also the threat that they will create a fork of your product without the objectionable change.

If this were a proprietary product, they could have simply added telemetry in secret. Once users got the update, there’s a good chance no one would have even noticed the change for awhile, unless they monitored the software’s network traffic. Even then, if the traffic were encrypted you not only couldn’t prove it was telemetry, you wouldn’t know what data was being shared.

Telemetry Is Opt In

Another crucial part of this story is that when the Audacity developers were explaining the change, they also pointed out that collecting telemetry is opt in. Defaults are powerful and an application that automatically collects your data without your permission is much different than an application that only does it if you explicitly tell it to do so. The fact that they designed this feature to be opt in further underscores the fact that because this was free software, they had a different obligation to their users. They understood their users would dislike the change and would outright reject it if it were opt out.

Proprietary apps almost universally default to opt out for tracking (if they give an option at all). This is because companies understand the power of defaults. If their users had to consent before being tracked, many if not most of them would say no. Since so many of these apps are funded by capturing and selling user data, that’s too big a risk to take.

The Community Can Audit Claims

Something else to underscore is that while Audacity developers explained what the change would do, that it was opt in, and which data was being shared with them, the users didn’t have to accept those claims at face value. Because this is free software, you can compare the claims software developers make against the code itself and see if it does what they say it does. If they ended up merging a change that did something different from what they claimed, it would be caught quickly.

With proprietary software you are required to trust the claims from the software developer. While you might be able to audit whether there is an opt out button somewhere, you can’t necessarily know for sure that using that button does anything–in fact in some cases companies have continued to track people even after they have opted out! Since software sometimes talks to cloud services over an encrypted network, you may not be able to confirm which data the software is sharing about you. You either have to trust the company at their word or assume they are collecting anything they can get their hands on.

Free Software Users Can Protect Their Privacy

The ultimate reason that free software means better privacy is the fact that users can remove any code that violates their privacy and use the rest. This is the threat looming over the Audacity project that ensures they need to listen to their users’ concerns, default to opt in for telemetry features, and limit the amount of data they collect to the absolute minimum. Even then, there is a possibility that if enough users aren’t satisfied with the privacy protections in the software, they may still release a competing version with the controversial bits removed.

Free software users, on the whole, are much more protective over their privacy than the average person. It may be tempting to conclude that people who use proprietary software don’t care about privacy, but I think that conclusion is too simplistic. Both groups care about their privacy, but the difference is that free software users are empowered to protect their privacy. Not only can free software users audit the software they use to see if it violates their privacy, if they discover it does, they can remove those objectionable bits and keep using the software. Even if they can’t audit or modify the software themselves, someone else in the community can, and they can benefit from that work.

In the proprietary world, your privacy is left up to the whims and business models of the company developing the software. In particular in phone apps there is an assumption that if an app is free you are paying for it with your data (and even if an app isn’t free it still may be capturing your data). If you discover a company’s software is violating your privacy you generally have two options: complain but use the software anyway, or stop using the software entirely. The threat of moving to a competitor is essentially the only leverage a proprietary software user has, and given so many competing products also violate user privacy, it’s not that strong of a threat.

Conclusion

It’s still too early to see how the story of Audacity’s telemetry change will play out, but regardless of whether this change doesn’t get merged, gets merged and accepted by the community, or gets merged and the project is forked, free software and user privacy wins. We live in a world full of sensors and data collection with so many companies not only collecting private user data, but gaining more power (and more profits) the more data they collect. Free software is one of the few remaining checks against this kind of power, as it’s one of the few places left where everything is done out in the open and the power to protect privacy is still in the user’s hands. When it comes to privacy, proprietary software simply can’t compete.

Recent Posts

Related Content

Tags