Voice.ai, maker of a voice-changing SDK and similar apps on several platforms, proclaims its commitment to ethics on its website.

Yet according to a software developer and security researcher who goes by the name Ronsor, the company's software violates two open source licenses in its libraries and is failing to follow up on licensing requirements.

Voice.ai told The Register that claims of code misappropriation are false, but acknowledged that its software included a number of open source libraries and said it has removed the GPL licensed code in an update that's currently being tested.

In a blog post Ronsor recounts scanning the company's Windows app to find that it contained two third-party components, Praat and libgcrypt, that were statically linked into the VoiceAILib.dll library.

To support his claim that the Voice.ai app contains code that's substantially similar to the Praat library, Ronsor posted decompiled source code from the app so that it can be compared with functions in the library.

"This is concerning, since Praat is licensed under the GPLv3 and libgcrypt is licensed under the LGPLv2.1," he wrote. "These licenses are not included with the software at all; in fact, Voice.ai’s Terms of Service [agreement] has sections which explicitly violate these licenses."

The company's terms of service forbid the copying, modification, and reuse of the software, in contravention of the open source licenses that require those freedoms.

Ronsor's post also questions the app's heavy use of obfuscation and the data it collects, which consists of: motherboard and CPU info; audio interfaces; OS version; enabled network interfaces, IP address, and MAC address; computer hostname; and Voice.ai install path.

"While some of this information has obvious legitimate uses for debugging or otherwise (audio interfaces, OS version, install path), other information such as the computer hostname and network interface metadata is completely irrelevant to Voice.ai’s primary function," he wrote.

Ronsor contends that this information is sent to the Voice.ai servers where it is used to derive a communications encryption using the API. He also reports that others in discussions on Discord have claimed that the code contains virtual machine detection routines - potentially an anti-forensic technique.

"Because of this 'DRM spyware,' it is not possible to run the Voice.ai software offline, even though it is clearly technically possible to do so, since it requires a local GPU for live AI processing," Ronsor observed.

Ronsor says he raised his concerns about license violations by attempting to contact the company on February 1 via Discord chat, and via email on the following day. For his trouble, he was banned from Voice.ai's Discord server on February 4, apparently for discussing DRM circumvention.

As of Monday, February 6, he had received no reply from the company about his software licensing inquiry.

Contacted by The Register on the morning (Pacific Time) of Tuesday, February 7, Ronsor said, "I haven't directly heard back from Voice.ai yet, although the moderators of their Discord stated publicly that they informed the developers, and the developers are (supposedly) speaking with their legal team."

The Register asked Ronsor whether he believes community pressure represents the best approach for dealing with alleged open source license violations, given the open source community's historic and practical aversion to legal challenges.

"Assuming there is no blatant evidence of malice, I believe community pressure should always be the first option," Ronsor replied. "If developers respond by complying with the license, then the past violations should be forgiven. Rewarding good behavior is important."

"If pressuring the developers turns out to be ineffective, then threatening legal action is the only option left, and monetary damages should be sought, since it costs time and money to litigate, and it costs time and money to investigate the violation in the first place."

Ronsor said for the most part he agrees with the Free Software Foundation's enforcement principles over the issue.

"Although I was banned from the Voice.ai Discord, I'm still hoping that the violations were due to ignorance rather than malice. Licenses can be complex, after all."

Indeed, it appears that Voice.ai would prefer to resolve the situation amicably. Contacted by The Register, a company spokesperson replied on Tuesday afternoon to acknowledge that the company was looking into Ronsor's claims.

The Register asked whether Voice.ai has published the referenced source code to GitHub yet but we've not heard back. ®

https://www.theregister.com//2023/02/08/voiceai_open_source/