Lying without Lying: Cocoatech, Pathfinder, and the Casual Redefinition of Privacy

In Philosophy, Politics, Reviews, Technology by J Michel Metz7 Comments

If you are a user of Apple’s Mac platform, you are familiar with the Finder program. The Finder is a very simple file management program that is the water that user fish forget is there. It’s just one of those things that has always been there, and it is the key, central place that every user manages the files.

It is also extremely basic.

As Apple has progressively tightened its stranglehold around the neck of its users, removing functionality and features (and often downright making things absolutely impossible), it has become more and more important for me to find workarounds that will allow me to get work done using tools that will stay out of the way.

Enter Cocoatech’s Pathfinder

As Apple has removed functionality (or made it more difficult) to navigate the file system, Cocoatech has made up the difference with it’s very good program, Pathfinder. This is not a review of Pathfinder itself, aside to say that as a program it is remarkably useful on older MacOS versions (it has progressively become more unstable as Apple releases newer OS editions, however).

Instead, this is about how Cocoatech has – perhaps without realizing it, it’s unclear – opened up privacy breaches that should be pointed out, if only as a cautionary tale for developers and users alike.

The Enticement Survey

About a week ago, I received a survey from Cocoatech about my usage of Pathfinder in exchange for a 15% discount on an upgrade to the next version. This was enough of an enticement for me to complete the survey, which I did in good faith.

The survey began and ended with a request for my (registered) email address, which I gave. This is normal in the creation of surveys – you use these fields as validation criteria, and it makes a great deal of sense.

Upon clicking next, however, I was shocked to see this notification:

Wait, that was NOT the email I entered!

This is not good. This is so not good.

Remember, I had given the proper email address to Cocoatech twice. I never, ever use gmail for any software purchases (I don’t really use gmail at all, actually).

More importantly, though, there was no reason whatsoever for my “name and photo associated with my Google account” to be recorded.

My relationship is with Cocoatech, not Google. Sure enough, under Cocoatech’s privacy disclosure, they clearly stated (yes, stated, as I can no longer find the privacy statement as I write this) that they would never share or sell your information to any third party.

My Expression of Displeasure

Normally, I don’t respond to surveys, but this time I couldn’t restrain myself.

I’m writing to you to let you know that I filled out this survey, and even got the coupon code.

But I will not be using it.
In fact, I am going to remove PF from all of my computers immediately. In addition, I’m going to recommend to everyone that I have previously prompted to buy Pathfinder, to do the same.
Why?
Because upon completion of the survey, I received this unsettling notice:
The name and photo associated with your Google account will be recorded when you upload files and submit this form.”
I have not used any Google account to correspond or interact with Cocoatech, and there is absolutely no reason whatsoever for Google to interact with Cocoatech. To add insult to injury, the FAQ explains:
We don’t do anything that would infringe on your privacy. Your activity is never tracked and no information is misused. Our servers only store your user information and license key. No credit card, or payment information is stored. If you have questions or concerns, feel free to contact our support team. We take privacy seriously.
Not if you explicitly share information with an outside third party such as Google – which is notorious in its violations of privacy. This is the very definition of “misusing personal information.”
It is a terrible shame, because I had always considered Cocoatech to be one of the “good guys,” and PathFinder to be one of the most useful programs I’ve ever used in my 30+ years of using a Macintosh.
It also creates a lot of work for me, as I now have the moral responsibility of trying to undo the damage of sending people your way for your program.
Very truly yours,
J Metz

I sent it off into the ether, not really expecting a response. To my surprise, I got an email the following day.

Cocoatech’s Response

Here is what I received:

Hi,

Thanks for reaching out. Let me explain how it works.

You can’t fill the survey form unless you sign in with your Google account.
If you do have a Google account, they already have your Google account name and photo which you added at some point earlier creating your account.

We do not share any information with Google.
The survey you took isn’t associated with us meaning that it looks like just another survey form, technically.

I’m sorry if it looks like we violated your privacy.
I can forward your request to our developers to remove your survey entry from the system.

I’d like to reassure you that we do take privacy seriously.

Let me know if I perhaps misunderstood you. Looking forward to your reply.

Best Regards,
Jordan
Path Finder Support Team

Leaving aside the tone of “Let me explain how it works,” I do appreciate the attempt at clarification, even if it appears that Cocoatech might not quite understand the problem completely. I do not leave myself signed in to Google in my browser (not intentionally, anyway), and I was not asked to sign in using any account in order to access the survey. So, obviously there is something going on with the browser that was not under my direct control (and opens up some necessary research into what’s going on at the browser/Google interaction level).

What’s the Big Deal?

The issue here is that Cocoatech is not thinking the consequences through. As I started to think about this, I started to realize that this is not just a Cocoatech problem (they just happen to provide the easiest example). It’s broader than that.

Cocoatech obviously uses Google to provide the survey functionality that they wanted. It also appears, however, that they believe that their responsibility does not extend to what happens when they use Google to provide that survey functionality.

TL;DR: Cocoatech’s Response

The fact that the survey sends non-salient data to Google (or anyone) should have been enough to cause Cocoatech to slam on the brakes. Think about this for a second: what would Google want with that information? What does Google already know that it can augment with this information?

There is a reason why I do not want Google to have information about what software I have on my computer. Google’s privacy violations are legendary. The fact that Cocoatech waited until after I filled out the survey to let me know (and yes, they do get credit for letting me know in the first place!) is, in fact, an ethical problem.

Here’s the real issue, however. It’s highly likely that Cocoatech does not believe this is a privacy violation.

It’s not good enough, though, to simply adopt the attitude, “well, we won’t sell your info; what Google does with that info is out of our hands!”

No, it doesn’t work that way. Cocoatech is responsible for this breach of privacy and of trust. Any developer that wishes to employ a third party to satisfy customer service is responsible for what that third party does with the information.

Bottom Line

Am I overreacting? Anything is possible, but I don’t think so.

Ethics. It’s not just for college credit any more.

We are entering an era where the use of free tools available for being able to improve marketing leaves companies with a “plausible deniability” problem. Cocoatech doesn’t believe, or at the very least, doesn’t understand, that they have just sold their customers as the product to Google to use at Google’s pleasure. They seem to believe that they can absolve themselves of responsibility because they, themselves adhere to some semblance of a privacy policy.

Unfortunately, Cocoatech retains the fiduciary responsibility for ethical behavior, as they have engaged Google on their behalf. It would be the same ethical responsibility if they were to use a malicious third-party survey vendor who installed malware on their customers’ computers. The degree of the violation does not negate the violation itself.

I am saddened by the fact that Cocoatech cannot adhere to their own policies, but I’m even more frightened about the possibility that developers may not even realize that they are being unethical when they try to engage the convenience of “free” tools.

Comments

  1. Hey, I’m the CEO of Cocoatech. I employ a sales girl. She said she wanted to to this thing. She’s not a tech expert and did the best she could. We never intended it to be anything nefarious.

    I have no idea what happened or if it was a privacy violation. We used Google’s tools and that’s it. Take it up with Google. I don’t even really know what your talking about.

    “Cocoatech is not thinking the consequences through” Your right, we have no idea this was an issue. Next time we’ll try something else. But we don’t appreciate getting bashed publicly. We are a small family run struggling business.

    We still consider ourselves the ‘good guys’. We would never in a million years try to fool or violate anyone.

  2. Author

    Hi Steve,

    Thanks for writing in. I confess I was a bit surprised (and suspicious) when the CEO of a company writes in about one of my blogs (though it’s happened before).

    As of this writing, the blog has been up for 3.5 years, and I’d mostly forgotten about it. I tried to write it in such a way that didn’t “bash” Cocoatech, though perhaps that wasn’t as successful as I thought.

    I understand that small developers try to use free tools to get the results that they need. I understand that Google provides free tools. I also know that sometimes “free” isn’t free. The cost is born by someone.

    The issue at hand isn’t whether or not Google kept track of the contents of the survey, though it undoubtedly did. As it turns out, I had been completely right in my paranoia about Google: they were caught tracking location data within a couple months of this article being written, were caught misleading millions of users about privacy by combining user behavior without direct consent, and just before the survey was issued in 2019 had a bug that exposed 52.5M users’ data.

    Where things went off the rails for me was that when it was brought to your company’s attention, the response seemed to be, “That’s not our problem. Whatever the company we use for the survey wants to do with your login information is their problem, not ours.” Unfortunately, this is something you’ve reinforced in your comment, here.

    Ultimately, my point is (and was) that if you want to use a third party to do a survey, that’s fine. There are a few anonymous survey companies out there to use. As a software developer, I would imagine that it would even be possible to create your own web form without too much grief or hassle.

    By using Google, however, and not explaining that a personal account login would be required in advance, a line was crossed. You say, “I have no idea what happened or if it was a privacy violation.” Well (at the risk of being a little too blunt), it was, and now you do. Fun little tidbit: when I saw that notice about my gmail account being used, I didn’t even submit the survey. I simply closed out the browser. However, it went through anyway (as I got a “thank you for completing the survey” email). See what I mean about distrusting Google?

    As I said in the article, I don’t think this is about being malicious. It’s about a mismatch of expectations and the consequences of that.

    For full disclosure, I did go back and re-purchase a later version of PathFinder at full price (version 11, I think). I had to stop using it – not because of the survey, but because it was simply unusable. I hope you can get that copy bug fixed, because it’s something of a table stake when it comes to a file management program.

    Good luck.

  3. I’ve been trying to contact Pathfinder support since February 2022. Have sent them another email last week. No response. The problem is that I have a license and the software is forcing me to buy a subscription.

    1. I can confirm this totally. No responses from several emails I send already to support@cocoatech.com and sales@cocoatech.com. I got an automatic response with a case number only.

      Also no answer on a request posted at their webpage and I am not the only one: https://support.cocoatech.com/hc/en-us/articles/6396321184148-Can-I-cancel-my-subscription-if-I-m-unhappy-with-Path-Finder

      What is going on with Cocoatech? How can we cancel the annual subscription? The suggested solution is from 2 years ago and isn’t working anymore.

      1. Author

        Thanks for sharing your experience. I’m afraid that I don’t have a solution for you, sadly. I avoid subscriptions like the plague (for this very reason) and so the only thing I might suggest is to ensure your credit card or bank doesn’t permit a renewal.

        Good luck.

  4. I used the buggy pathfinder software for a few years because not had some featured I needed, but after they went to a subscription model, I dumped it. Since then, I have been unable to unsubscribe from their marketing spam. Regardless of what I do, who I email, it is always ignored and next time they do a marketing email, I get it.

  5. I recently unsubscribed from PF as they still hadn’t corrected long standing bugs that made the program frustrating to use. Support is next to nil.

    I was informed that I would receive a credit (refund) for the unused portion of the subscription, but despite repeated emails asking when it would happen (been more than three weeks now), no replies and no refund.

    Cocoatech is untrustworthy and unreliable. “But we don’t appreciate getting bashed publicly. We are a small family run struggling business.”

    Maybe if you lived up to your promises you wouldn’t be getting bashed publicly. Maybe if you spent more time fixing the buggy product, then people wouldn’t be dumping you for something else.

Leave a Comment