This article is more than 1 year old

Voice.ai denies claim it violated open source software license requirements

Maker of voice changing software says it has removed GPLv3 code "to alleviate any doubt"

Voice.ai, maker of a voice-changing SDK and similar apps on several platforms, proclaims its commitment to ethics on its website.

Yet according to a software developer and security researcher who goes by the name Ronsor, the company's software violates two open source licenses in its libraries and is failing to follow up on licensing requirements.

Voice.ai told The Register that claims of code misappropriation are false, but acknowledged that its software included a number of open source libraries and said it has removed the GPL licensed code in an update that's currently being tested.

In a blog post Ronsor recounts scanning the company's Windows app to find that it contained two third-party components, Praat and libgcrypt, that were statically linked into the VoiceAILib.dll library.

To support his claim that the Voice.ai app contains code that's substantially similar to the Praat library, Ronsor posted decompiled source code from the app so that it can be compared with functions in the library.

"This is concerning, since Praat is licensed under the GPLv3 and libgcrypt is licensed under the LGPLv2.1," he wrote. "These licenses are not included with the software at all; in fact, Voice.ai’s Terms of Service [agreement] has sections which explicitly violate these licenses."

The company's terms of service forbid the copying, modification, and reuse of the software, in contravention of the open source licenses that require those freedoms.

Ronsor's post also questions the app's heavy use of obfuscation and the data it collects, which consists of: motherboard and CPU info; audio interfaces; OS version; enabled network interfaces, IP address, and MAC address; computer hostname; and Voice.ai install path.

"While some of this information has obvious legitimate uses for debugging or otherwise (audio interfaces, OS version, install path), other information such as the computer hostname and network interface metadata is completely irrelevant to Voice.ai’s primary function," he wrote.

Ronsor contends that this information is sent to the Voice.ai servers where it is used to derive a communications encryption using the API. He also reports that others in discussions on Discord have claimed that the code contains virtual machine detection routines – potentially an anti-forensic technique.

"Because of this 'DRM spyware,' it is not possible to run the Voice.ai software offline, even though it is clearly technically possible to do so, since it requires a local GPU for live AI processing," Ronsor observed.

Ronsor says he raised his concerns about license violations by attempting to contact the company on February 1 via Discord chat, and via email on the following day. For his trouble, he was banned from Voice.ai's Discord server on February 4, apparently for discussing DRM circumvention.

As of Monday, February 6, he had received no reply from the company about his software licensing inquiry.

Contacted by The Register on the morning (Pacific Time) of Tuesday, February 7, Ronsor said, "I haven't directly heard back from Voice.ai yet, although the moderators of their Discord stated publicly that they informed the developers, and the developers are (supposedly) speaking with their legal team."

The Register asked Ronsor whether he believes community pressure represents the best approach for dealing with alleged open source license violations, given the open source community's historic and practical aversion to legal challenges.

"Assuming there is no blatant evidence of malice, I believe community pressure should always be the first option," Ronsor replied. "If developers respond by complying with the license, then the past violations should be forgiven. Rewarding good behavior is important."

"If pressuring the developers turns out to be ineffective, then threatening legal action is the only option left, and monetary damages should be sought, since it costs time and money to litigate, and it costs time and money to investigate the violation in the first place."

Ronsor said for the most part he agrees with the Free Software Foundation's enforcement principles over the issue.

"Although I was banned from the Voice.ai Discord, I'm still hoping that the violations were due to ignorance rather than malice. Licenses can be complex, after all."

Indeed, it appears that Voice.ai would prefer to resolve the situation amicably. Contacted by The Register, a company spokesperson replied on Tuesday afternoon to acknowledge that the company was looking into Ronsor's claims.

"We are aware of recent speculation regarding the alleged misappropriation of source code. We take accusations of this nature very seriously and would like to categorically state that they are false," a company spokesperson said in an emailed statement.

"Our tech support team received a source code request from the user @ronsor on the evening of the 2nd of February. Our team handles a high volume of customer inquiries and so the request was processed two working days later on the 6th of February. By this time, the user had already created a blog post (February 4th) and started raising allegations on public platforms.

"In parallel, the user had joined our public Discord server and engaged in conversations on how to violate the product’s terms of service, such as reverse engineering, which led to a ban by our volunteer community moderators. This was completely unrelated to the source code request, which no one, especially not our Discord moderation team, was aware of at the time.

"As a bootstrapped startup on a mission to democratize AI, we support the requirements around open source and we are in full compliance with all open source code licenses. We are responding to related requests as quickly as possible. We thank @ronsor for his notification and request."

"While the vast majority of our code is closed source and developed by Voice.ai, we have included a number of open source libraries. Our software does not depend on these libraries for our core technology to function, and for convenience we will be making the relevant source code available on a Github repository. To alleviate any doubt, we have removed the GPL3 code and were able to do so in a few hours, as it was performing such a minimal non-core function. We are pushing this update as soon as it clears QA."

"We hope that this will ultimately strengthen our relationship with the open source community, and are thankful to our Discord members for their support."

The Register asked whether Voice.ai has published the referenced source code to GitHub yet but we've not heard back. ®

More about

TIP US OFF

Send us news


Other stories you might like