Website Exposes Jamulus User Geolocation Data

[rdica]

Purpose

This post is intended to provide information to Jamulus users, and to initiate a meaningful dialogue regarding the recent (20251001) and ongoing exposure of Jamulus user geolocation data on a 3rd party website.

Site

The website exposing Jamulus users geolocation data is https://jamulus.live.
Its owner, @mcfnord, has implemented a new feature that displays users “nearby” to the one viewing the website.

The site collects the following data of each user connecting to public Jamulus servers: their IP addresses and usernames.
The site collects the IP address of the user viewing the website.

The site then performs geolocation lookups on https://ip-api.com using those IP addresses. This data is stored on disk for later processing and display. The data is used by the site to determine “nearby” status of the users currently on public Jamulus servers and the viewer of the site. The “nearby” users names are then displayed on the website along with their geolocated city and region (state/province/other) data.

Security Concerns/PII

How is this data collected since Jamulus software itself does not provide this data?

What legal compliance is being followed in the collection and dissemination of this data?

Is there a privacy policy posted?

Is the display of geolocation data integral to the actual function of the feature implemented?

Why is the default action to have said data collected and displayed instead of opt-in (EU GDPR compliance?)

User Configuration Of Client Pertaining To Location

Jamulus client software provides fields that users can choose to fill, if they wish, to let others know where they’re located. The fact that when those fields aren’t filled explicitly means they do not wish to advertise more information. Also, users may wish to maintain a degree of anonymity by providing none or arbitrary data. Whatever the reason(s), the decision to supply that data is controlled by the user.

Some User Feedback

When users were asked about, or informed of the feature as it currently works, the following points they expressed to myself include but are not limited to:

1. Users wanted to know the background story regarding how this is envisioned to be used.
2. Users wanted to know why IP addresses mapped to usernames are needed as they might be PII.
3. Users expressed concern about storing users IPs and don’t really understand how these IPs can be retrieved in the current Jamulus version.
4. Users expressed concern that their data is being collected and they're not users of the site.
5. Users didn’t see a section on the website detailing data collection, privacy policy, opt-in, data deletion, and this feature.
6. Is there a more privacy preserving approach for this feature?

Discussion

This discussion isn’t a judgement of any feature of the website. @mcfnord caters to his sites users and aims to provide them with what he considers useful information. Rather, it’s an opportunity for him to educate us on the new feature, how he feels it benefits the community, etc.

I invite @mcfnord to discuss the sites new feature, the above concerns I have expressed, and points made by other Jamulus users.

The whole Jamulus community benefits when we all work together on things that impact all users of Jamulus.

[ann0see]

Thanks for posting this here. I had a short discussion with the team, and we're unsure if client IPs are used. If this is the case, they could be considered PII - if not anonymized correctly (e.g. last octet anonymized). --> if user IPs are actually collected, we'll need to update https://jamulus.io/wiki/Privacy-Statement#general-information and potentially update Jamulus.

It's a bit odd that users without a set city (checked via Jamulus Explorer) show up with a set city. Even from a purely technical perspective, using IPs for Geolocation is not really accurate. Personally, I would have only used the provided City/Country - as

1. We know that the user set this and wanted to make it available publicly
2. This can be more accurate as the user knows their location better than any API.

Please make sure that

1. if you collect data from people where the GDPR applies you follow the GDPR
2. have an explanation on the website on how data is processed (privacy policy)

Of course, we cannot force anyone to do this, but it's more than good practice - maybe even a legal requirement - to inform users about data collection and sending data to third parties.

[rdica]

As of this posting, @mcfnord is still collecting data:

ip-api.com direct lookup from browser:

Jamulus client user profile configuration:

Jamulus client main window on a server (pondmeet ATL):

Website display of data collected, NOT supplied by the client:

What you"re exploiting is a potential client security bug that should have been reported to the devs. Practitioners of Open Source philosophies would have recognized such and done The Right Thing by reporting it.
You've chosen instead to exploit it in an attempt to enhance your website. This is most disconcerting as it appears your concerns don't seem to align with the spirit of the privacy concerns expressed and designed for by the development team, and the expectation users have of being safe from this kind of activity while using Jamulus.

@mcfnord Please stop your collection of users data. If the Jamulus developers had wanted this ability, they'd have incorporated the functionality into the software themselves. The fact its not is an explicit design decision that respects users privacy.

You should be doing the same.

[elroncam]

I'm part of a group of concerned musicians using Jamulus since April 2020. We have been watching mcfnord since he started putting bots on ours and others servers without permission or even notification. This latest activity from him is even more alarming, and we're feeling we're no longer safe using Jamulus in public. We have already moved some of our activity to private servers due to mcfnords actions against the public network. As of this writing we're weighing leaving the public network altogether.

I don't know if the developers are addressing the issue (@softins do you know?) but here are some mitigations that will help reduce the efficacy of the tracking:

1. Wherever possible try and connect directly to the servers host:port, these can be found using https://explorer.jamulus.io
2. For servers that do not support direct connections, select the server as you normally would and after connecting to a server immediately open the Connect dialog again. Leave open for at least 10+ seconds.
3. For server owners, add the following IP address to the firewall: 137.184.43.255. We found correlation could not be performed with clients connecting to servers blocking this IP address. Note that mcfnord can change the IP at any time, but it isn't hard to find given the query frequency. We found this IP started querying the network 2025-08-18 02:54:01.075331+0000 137.184.43.255 → xxx.xxx.xxx.xxx 22124 JAMULUS 56 CLM_PING_MS_WITHNUMCLIENTS (10441035, 0)

Note these mitigations won't remove data already collected from you, but as long as you continue to evade the tracking, your previously collected data won't be updated.

Other things we've noted:

1. Incorrect geolocation.
2. New names with no previous collection history having arbitrary data displayed.

As users we shouldn't have to go through these steps to remain safe from tracking. I'm hoping this problem can be fixed.

@stefan1000 @rdica Thank you both for bringing this issue up and defining what the actual problem is. I doubt mcfnord would have come clean if no one else had actually detailed the attack vector.

Good luck, keep yourselves safe from tracking, and keep jamming!

[softins]

I don't know if the developers are addressing the issue (@softins do you know?)

There has been a small amount of discussion, but nothing beyond that. All the developers are volunteers who also have Real Lives™. I have not had much time available for Jamulus for a while.

Maybe stefan1000's modifications will be useful to people who are concerned by this issue, and if they were a switchable option might be able to be incorporated into a future release.

Personally, I am not concerned if my IP and possible approximate location get deduced when I connect, and it doesn't make me feel unsafe in any way. I get that others may feel differently.

[stefan1000]

I'd rather vote for an explicit opt-in like "Send my IP as part of the user details" to the server and make it publicly available, instead of deriving this information via questionable methods on the network (afaik the IP address in the connection list msg was removed a while ago due to those concerns).

I can do a PR for the changes if there is a chance to get those in, but in order to work properly and deliver the privacy benefits, it has to be the default behavior, not an option. There's little benefit in pinging each and every server with 2500ms, so the change would also improve performance and lower CPU/network usage. Furthermore, if only a few clients were to use the current randomized ping approach, it could itself be used to identify those clients.

[mcfnord]

@stefan1000:

I wish Directories gathered IPs and did what I'm doing with the information. Even a simple distance-away ordering would be a leap forward. A set-by-default opt-in would be cool.

I think we'd be a safer community with a better offering if determining someone's IP address wasn't trivial. I met a noob last night who was pretty freaked out to learn that the Jamulus client reveals her IP address.

It's interesting to hear that you might improve the ping architecture and Connect UX overall!

@elroncam & @rdica: I filed a bug two weeks before this discussion started.

[mcfnord]

@rdica,

Thanks for interviewing nameless users and reporting back. I've also interviewed 4 users extensively who hold strong views about privacy, and together we evolved from the original prototype of a world map with instruments and names on it. It looked hella cool! But it also freaked people out. The second prototype snapped instruments and even servers to a diamond lattice on a world map. I still find that idea interesting, almost as a "jam planner" but it's just too much information for the task.

---

"Is the display of geolocation data integral to the actual function of the feature implemented?"

I could use kilometers/miles but people's understanding of distance is best attuned to distances to cities. Based on today's feedback, I've changed to showing the user's self-described city (if any), followed by the IP's state/province/region. It's still clear to humans, but in most cases it's only as granular as necessary for our purposes. California is kind of long, and Canadian provinces get very big, but the user still has a sense of distance this way, plus cultural identity to a degree.

---

"Why is the default action to have said data collected and displayed instead of opt-in (EU GDPR compliance?)"

I want rocket-fuel mad fire features that help us grow and thrive, which translates to: big datasets.

• The "gone now but here recently" feature (where the bulb is gray) is based on the fact that I know the last time any two people were together over the last 21 days.
• The "will arrive soon" (orange bulb) uses heatmaps of arrival times for every user over the last 45 days to speculate about what will happen soon.
• I can tell you every participant in every public jam during every minute of the last 90 days.

I'm not a data packrat. I avoided storing any data for years. Now I only store data when I see real potential in having a larger dataset, and I only store it for practical durations. I do this because large datasets lead to products that improve outcomes. Now that I know who uses my website (auto-login, released 2 weeks ago), I can produce many more custom features that lead to better outcomes.

---

"Jamulus client software provides fields that users can choose to fill, if they wish, to let others know where they’re located. The fact that when those fields aren’t filled explicitly means they do not wish to advertise more information. Also, users may wish to maintain a degree of anonymity by providing none or arbitrary data. Whatever the reason(s), the decision to supply that data is controlled by the user."

This line of thinking is not considering the unique patterns that accompany people who abuse our network by anonymizing with a VPN. The feature you've noticed actually flows out of a "global log" of user activity that I've built to track abusers. There are very good reasons why tracking users is and should be part of our defense of public space.

Distance is the best proxy of latency, and navigating latency is a critical facet of success on our platform. My view is that we should reveal enough information users of servers on public directories can use to discover nearby users.

An anecdote: My friend noticed two people jamming on a server far away. They've done this for years, but we noticed that one of the guys was located in the city next to my friend's city. So he connected with the guy and they were able to initiate a low-latency jam. They could have been jamming for years!

I think every Directory should harvest every Client IP from every Server, and should provide a list of nearby users to every browser that asks. Click the icon in the upper-left of the Client, see this list in a browser.

Step back for a moment and remember how we've learned to find people near us within the public network. I'd see someone popping around on local servers, and I'd infer that they might be local to me. That kinda works, but it adds a haze because we're seeing a secondary effect: just seeing which servers the user joins. It should be the goal of Jamulus to tip client users off to other client users near them. This kind of feature, tantalizingly close to us in our Directory architecture, would help us compete with features found in commercial projects that centralize identity management. That's my goal. I want the world's leading live music collaboration community to be a non-commercial, open source platform. To achieve that, we need strategies to compete with some features that centralized, commercial platforms easily provide.

[JacquesFreud]

I hope I fully understand your arguments. You mean you are doing good if you provide users with information about other users so they can have better contact? Do you think musicians that jam with each other regularly don't ever talk to each other (or write in the chat)? Before you put up this geolocation thing there have been quite a few gatherings of musicians without knowing where the other lived. They just asked them. So as far as I am concerned: let us decide for ourselves and stop publishing geolocations.

[elroncam]

Hi...

A group of us have been watching this discussion closely. Some thoughts...

---

I could use kilometers/miles but people's understanding of distance...

So no, the display of the data itself is not intrinsic to its function, it's a choice you made.
Jamulus does not use a peer to peer architecture so nearness is moot. The most important thing is the clients own latency to the server. Some other users proximity to me has no bearing on my connection, nor is it any indicator of how good their connection to same server would be.

---

I want rocket-fuel mad fire features that help us grow and thrive, which translates to: big datasets.

Specifically who is the “us” that you allege your web sites features will help grow, the web sites users?

To be clear, “mad fire features” are something pertaining to a web site, no actual improvements to Jamulus itself and its use. It appears you want to follow in the steps of the AI companies, disregarding user privacy for data collection to provide yourself big datasets.

Why do you feel you’re entitled to collect this data?

How is what you want more important than respecting users privacy, Jamulus privacy ideals, not to mention putting yourself in legal liability for contravention of the EU GDPR and other regions/countries data privacy laws?

Your claim of not being a data packrat cannot be verified since to date you haven’t published a privacy policy compliant with all the regions/countries data privacy laws, nor followed those requirements in the collection of users data. Further, the Jamulus community cannot audit your systems.

---

Step back for a moment and remember how we've learned to find people near us within the public network...

The ping time to a server we connect to is pretty indicative of the latency we'll experience. Neither you nor I have control over another player from a more distant location joining and participating. Given this, users proximity to each other is irrelevant as Jamulus does not use a peer to peer architecture. Your own participation on servers on the other side of the globe would seem to counter your need to find people near you.

---

It should be the goal of Jamulus to tip client users off to other client users near them.

Why?
Jamulus does not use a peer to peer architecture.

Users aren’t limited to connecting to the closest server. Given that, why do other users need to know how close they are to me when I’m on a server halfway around the planet?
Frankly it’s no one elses business where I am unless I choose to reveal that information.

Are you suggesting users are incapable of, or otherwise cannot determine for themselves what servers to connect to based on ping times reported in the client or to whom they want to listen in a session?

Should servers then exercise proximity checks of users connecting to prevent connections from, for example, US clients to Thailand servers?

Proximity is irrelevant. Users can decide for themselves where to connect, or to whom they listen using existing tools like volume/solo/mute if they don't want to hear a participant with excessive latency.

Again, being near another user has no bearing on ones own latency to a server or another users latency to the same, or different server.

---

So far I’ve not seen nor heard any compelling reason for this nearby feature as it has no impact on players choice of server to connect with. Players choose a server based on ping time to it, or who's currently on it. Players follow other players because they enjoy playing with them, not because they’re nearby. Groups of players will change servers in attempts to find the best latency for all players involved. How do they do this? They talk to each other in the session. None of this relies on users data being collected, geolocated, and displayed on a web site.
Ergo the data collection and/or display of users geolocation data serves no legitimate purpose.

I won't ask @mcfnord to stop collecting our data since he's ignored previous requests to do so.

---

I have heard from a number of users that they’re considering moving solely to private servers, or another platform altogether as they no longer feel safe on Jamulus public servers due to this security issue and data collection as a result.

If the developers aren’t already working on a fix for this correlation attack vector, I urge them to do so as this security issue hurts us players more than any assumed benefit a web site feature provides.
As I type this I see @stefan1000 is attempting to provide a fix, thanks @stefan1000 I will test your changes today!

[mcfnord]

Jamulus does not use a peer to peer architecture so nearness is moot. The most important thing is the clients own latency to the server. Some other users proximity to me has no bearing on my connection, nor is it any indicator of how good their connection to same server would be.

People nearby would need a server to connect, but they also have a server on their computer, right next to the client. So knowing who is nearby has been of great benefit to me. Even with years of experience, I have a clearer understanding now of who I can jam with most effectively.

---

Specifically who is the “us” that you allege your web sites features will help grow, the web sites users?

When I find someone who is a good collaborator, that benefits both of us. My website is used rather widely, by many Jamulus "power users". If each of them has better experiences based on clues they find on the website, that helps them and everyone they're playing with.

---

Why do you feel you’re entitled to collect this data?

Because I can use it to improve outcomes.

---

Are you suggesting users are incapable of, or otherwise cannot determine for themselves what servers to connect to based on ping times reported in the client or to whom they want to listen in a session?

I'm not really suggesting anymore. I'm asserting, based on my experience, that this tool improves outcomes. Another real-world example: I noticed people were on a server near me. But I also could see they were actually all the way across the country. So I didn't come in from my walk to check them out.

---

Should servers then exercise proximity checks of users connecting to prevent connections from, for example, US clients to Thailand servers?

Some servers in the American East do this, and people in the American West think it's a douche move. But it helps the West grow so maybe I'm ok with it.

---

Players choose a server based on ping time to it, or who's currently on it. Players follow other players because they enjoy playing with them, not because they’re nearby.

That's kinda true if you already know everyone. What if we grow? Maybe there will be people I don't know! Someone more near to me is much more alluring. I'll try harder to meet them.

---

I have heard from a number of users that they’re considering moving solely to private servers, or another platform altogether as they no longer feel safe on Jamulus public servers due to this security issue and data collection as a result.

I can report that global usage is rising. Just as soon as the weather changed, people began returning to Jamulus. If I stopped, you really have zero awareness whether or not anyone else is doing the same thing in private. Releasing my source code would make that even less clear. But increased awareness has led to some actual prototypes that might prevent this activity. So thank me!

I think there are differences between people who want a "public experience" with all the benefits that might accompany "performing in public", vs. people who want a private experience. If they're seeking a private experience, there are good options out there. If I've pushed a dirty little secret into the light, that's good for security, not bad.

[stefan1000]

@rdica @softins @elroncam @JacquesFreud

Did a quick prototype to "fix" the deterministic ping behaviour, see https://github.com/stefan1000/jamulus/releases/tag/FirstPrototype (just a local windows x64 build). Changes in
https://github.com/stefan1000/jamulus (first version had a bug and was not reliable)

It will keep pinging for 15 to 30 sec after closing the dialog. In addition the regular 2500ms ping of each server was drastically reduced, servers with lower ping will receive more pings, distant servers with larger pings may only receive very few of those.

Dont know if this is stable, will try it out (note that you have to change your jamulus name to trash the hash value)

Tooltip on server ping time shows the stats:

[elroncam]

@stefan1000 Rebuilt client using https://github.com/jamulussoftware/jamulus/compare/main...stefan1000:jamulus:main.diff
Seems to be working so far..

[stefan1000]

@elroncam its not bullet proof - the adaptive ping frequency can actually cause a correlation event "on the other side" :-) ... when the ping is delayed too long and then is detected as a stop of ping, need to think a bit about.

[stefan1000]

hi all, after yesterday´s "live jam testing" for several hours I discovered some issues in the approach which should now be solved in https://github.com/stefan1000/jamulus/commits/main/ and
https://github.com/stefan1000/jamulus/releases/tag/ImprovedV3

[rdica]

@stefan1000 I was able to build this morning your with your changes and will test today, thanks!

[stefan1000]

thx, will continue to do fixes on this fork, just update from time to time.

[JacquesFreud]

I am very sorry for not understanding what all the above is about.

Are these measures to stop publishing geolocations like many of the Jamulus users want? (I asked around in a few servers - nobody really finds geolocations necessary or even useful, most don't even care). As it seems, only @mcfnord thinks it is good for Jamulus?

[rdica]

@JacquesFreud basically yes. These measures will help prevent data collection. Without the data the geolocation lookup cannot proceed.

[NickVeit]

Please stop sending this message to our server. My Imaginary Friends:

(09:45:11 PM) EWS GENTLE BUNNY [OFFLINE] aka mcfnord is illegally collecting your Jamulus user data contrary to Jamulus Privacy policies and EU GDPR. See https://github.com/orgs/jamulussoftware/discussions/3545 for more information. To file a complaint regarding your data being collected see https://www.edpb.europa.eu/sme-data-protection-guide/steps-individuals-can-take-against-you_en.

[anprdev]

Please stop sending this message to our server. My Imaginary Friends:

(09:45:11 PM) EWS GENTLE BUNNY [OFFLINE] aka mcfnord is illegally collecting your Jamulus user data contrary to Jamulus Privacy policies and EU GDPR. See https://github.com/orgs/jamulussoftware/discussions/3545 for more information. To file a complaint regarding your data being collected see https://www.edpb.europa.eu/sme-data-protection-guide/steps-individuals-can-take-against-you_en.

I think showing the Server is not bad. But collect user information even they have not filled in the location but only a User Name is a No-Go.
I have ask the owner of jamulus.live to remove my server Blues/Rock to collect User Geolocation Data.
Wondering if I get a response.

[mcfnord]

@NickVeit : Jamulus.live complies with the EU's GDPR privacy law.

I have a custom build of the server that blocks by network, not by IP. This would stop that chat spam you are seeing, and the previous attacks you saw two months ago from the same party. I have a build for Ubuntu but can make others.

@anprdev: I am investigating the best way to opt a server out. My idea is that you or I could block your server from reaching 137.184.43.255. At this time, you'll still appear in the server list, but I plan to change that in the future, so you'll probably have to opt out of visibility across the whole website.

[stefan1000]

@mcfnord no, I don't think it complies with EU GDPR.

The core network function of sending an anonymous UDP payload for ping, which reveals the IP, is likely covered by legitimate interest for operational necessity, provided the server doesn't store the data. However, your activity is fundamentally different.

You are collecting the leaked IP address, linking it to a username and a 90-day usage history, sending it to a 3rd party for geolocation, and making the resulting PII publicly available.

I met a noob last night who was pretty freaked out to learn that the Jamulus client reveals her IP address.

Imagine her reaction if she discovered you're storing it, linking it to her username and building up a 90-day history of jamulus activities (with whom, when, for how long...), geolocating her, and publishing parts of this on the internet. Can we even be sure that its only 90 days? Crucially, you do not have my permission—nor the explicit, unambiguous consent of many other users—to store and process this sensitive data. Your suggestion of a "set-by-default opt-in" is contradictory; GDPR requires genuine opt-in consent for this type of non-essential data processing.

Your justifications (utility, growth, facilitating real-life meetups) don't meet the legal standard for legitimate interest. The ping time already provides the metric for proximity, and as @JacquesFreud pointed out earlier, real-life connections happen through communication within the application, not through publishing users' locations and session histories. Furthermore, collecting and retaining the PII and session history of all users to combat a few abusers violates the principle of data minimization.

[anprdev]

No problem then.

[elroncam]

I have seen this as well but the clients are not mine.

I have integrated @stefan1000 code into my main clients and have had no issues with the changes. When the website shows my clients location it is always incorrect.

[stefan1000]

@elroncam sorry, just thought it was you since the time they appeared "correlated" :-) with the testing...

hm, those "ping honeypots" in the directories are all on IP 24.199.107.192, which belongs to digital ocean, a cloud provider in the US. And also jamulus.live (134.199.209.51) is hosted there....what a show

Duet | 24.199.107.192:22121
Duet | 24.199.107.192:22122
Duet | 24.199.107.192:22123
Duet | 24.199.107.192:22124
Duet | 24.199.107.192:22125
Duet | 24.199.107.192:22126
Duet | 24.199.107.192:22127

[elroncam]

As is 137.184.43.255 which I suggested blocking above as part of mitigating the correlation attack.

[anprdev]

What a shit show. Owner can better stop with this.