Based on your stance it seems that you have not seen the intentions declared in the original PR, including opt-in approaches and the use of data solely for development and UX improvements?
I just don't want to take the chance about telemetry data being used for monetization, now or in future. Also, the original PR's setup meant that even if I wanted to share telemetry, there was no way for me to share that without it going to Google/Yandex. And I definitely don't trust them.
So, first of all, as someone who works for Google, I don't think you should be worried about it. Using personal data is currently pretty strictly regulated. Using 3rd party analytics data in such a way would likely be illegal (IANAL and I'm not writing this comment on behalf of Google).
And even in the worst case, supposing that Google and Yandex are evil, what's your exact concern? That you presses on Play and Record buttons will be used to target ads?
Imo the last part is a bit too dismissive. It's not too hard to imagine how telemetry from software can be used for ad targeting, or for more nefarious purposes, since the telemetry would have access to track info, including metadata.
If we're imagining worst-case scenarios, my first thought is "use track info to discover unlicensed music usage". Or for ads.
I don't think the actual application-specific events would be used by Google - as every application has their own events and ways to use them there would be no generalized way to do it without having developers manually "reverse engineer" the event meanings and assign them to ad targeting signals.
What Google most likely does however is use persistent analytics IDs to track people and improve their on-site tracking. Let's say you clear your cookies and happen to change IPs (dynamic IP, etc) so you appear to Google's web properties as a new user - all they have to do is wait for some other piece of software on your machine to report analytics with a persistent ID and essentially bridge the gap between your old identity and your new one, so now just based on IP alone, Google's web properties can infer with good accuracy (and the more datapoints the higher it goes) that it's you.
I agree that this might be a concern, but since Audacity is open source sending any sensitive information like track metadata would likely be caught very quickly.
This is an extraordinarily blasé who-gives-a-shit response to a critical security vulnerability. Hopefully your attitude isn’t representative of your employer. Maintaining the privacy of the data customers entrust to you should be your highest priority.
I'm sorry, but a publicly traded company's highest priority is to it's shareholder. To them money is the only priority.
To think otherwise is a bit naive.
User privacy is usually an afterthought, or a PR statement. Since you are the product being sold, your expectation of privacy should be somewhat lower.
For working at Google you seem to know very little about them.
1. Data was sent even though location history was turned off. [1]
2. It is pretty well-known that SSIDs can be used by location services to increase location accuracy, especially where GPS coverage is low or noisy [2], or slow to connect.
3. Would be useful for location tracking again.
4. That seems like a bug that wouldn't really benefit Google at all.
> Using 3rd party analytics data in such a way would likely be illegal (IANAL and I'm not writing this comment on behalf of Google).
Your company is breaching the GDPR with their current tracking consent flows (Google's consent flow does not pass muster according to the ICO's guidelines: https://ico.org.uk/for-organisations/guide-to-data-protectio...), so just because something is illegal doesn't mean Google won't do it, and their friends at Facebook did something similar and got caught using 2FA phone numbers for ad targeting even though they promise they wouldn't.
A good reputation is hard to earn, and easy to lose.
A bad reputation is even more difficult to lose, realistically it never goes away. Ever.
Google has a bad reputation these days. No amount of PR will help. Ever.
(Doubt my above logic? Imagine a person who donates his time to help the poor, then is caught stealing from the poor. Will anyone care about the donation time, or will they primarily only think about the theft? The betrayal?
Will that person ever prove they are "pure" again?)
First, illegal obviously doesn't matter to Google. They are collecting GDPR fines but continuing as before. Responsible authorities in Ireland are asleep at the wheel, probably intentionally. As a user, "illegal" doesn't calm my fears, Google fearing to go bancrupt from fines would. But we aren't there yet. Also, Google will mostly avoid responsibility by dropping it all on the Audacity developers and their terms of service.
And ad targeting by button presses isn't the problem. Telemetry transmitting audio content, memory dumps, screen shots, home directory content is the problem. As an end user, I cannot distinguish between the harmless button-press telemetry and the harmful versions. Pinky swearing in the terms of service doesn't help, users have been lied to too often.
Oh, and btw, button presses can also be harmful, e.g. for an on-screen keyboard, a browser or any application where buttons reveal user data.
> First, illegal obviously doesn't matter to Google.
I'm just an engineer and I have good visibility only in the project that I'm working on, but at least from what I see, the privacy policy is taken very seriously. All product changes are going through legal review, and I'm not aware of any instances where any illegal or even "gray area" changes were knowingly rolled out in production. When GDPR came into law, a lot of work was spent on making all the systems compliant with it.
I'm not saying that everything in Google's billions of products is strictly legal, but "illegal obviously doesn't matter" is obviously wrong.
That the GDPR introduction required a lot of work is a sign that Google failed to comply with German data protection law in the time before. Google did business in Germany, so would have had to comply. GDPR is, in most aspects, a straight translation of what was necessary to do business in Germany for decades. So why should I trust that Google will comply now when it didn't before?
CNIL (the French DPA) could fine Google because Google failed at something as basic as having a Data Protection Officer in their supposed European headquarters in Ireland. If Google legal fails at a two-line appointment letter and an address entry in the privacy legalese, how should Google's legal review be any better?
As to taking things seriously, take for example youtube. For some time we have now been getting a cookie consent banner, but that was introduced only some time after GDPR coming into effect. And that banner is obviously illegal, because it clearly implements the "I agree" vs. "Customize" dark pattern. So I cannot reject as easily as I can agree. And even if I click customize and select "Off" at "Ad personalization", there is still the sentence below that says "We rely on cookies to remember your settings and other preferences. We also use cookies to [...] deliver, maintain, and improve our services and ads".
Also, there is the plain lie that "You can change your browser settings to reject some or all cookies.". You can block cookies, after which youtube just won't work in Firefox. I suppose in Chrome it just uses some other hidden identifier.
So please don't try to tell me that things are taken seriously when I just need 30s to find blatant violations and gray areas. Name any other Google site and I would wager I could easily show you more obvious violations like that. I can accept that an engineer won't know or care about stuff like that, but claiming you have never used youtube and never seen what I described seems odd to me. I can accept you wanting to defend your employer, but everyone always says something like "it is fine in my project". That only serves to increase my mistrust in any claims by Google employees when things like the above are clearly not OK.
I'm afraid that the question answered by all that "legal review" is "what can we get away with", not "what is legal", and that that was the principle that informed your GDPR not-quite-compliance big initiative.
What I'm about to say I've already said elsewhere in this post, but Audacity has been an incredibly loved and popular FOSS project for 22 years and it's done that without using telemetry.
It's hard for me to not be pessimistic and see the recent sale of Audacity and the introduction of telemetry as the beginning of the end.