Lying without Lying: Cocoatech, Pathfinder, and the Casual Redefinition of Privacy

If you are a user of Apple’s Mac platform, you are familiar with the Finder program. The Finder is a very simple file management program that is the water that user fish forget is there. It’s just one of those things that has always been there, and it is the key, central place that every user manages the files.

It is also extremely basic.

As Apple has progressively tightened its stranglehold around the neck of its users, removing functionality and features (and often downright making things absolutely impossible), it has become more and more important for me to find workarounds that will allow me to get work done using tools that will stay out of the way.

Enter Cocoatech’s Pathfinder

As Apple has removed functionality (or made it more difficult) to navigate the file system, Cocoatech has made up the difference with it’s very good program, Pathfinder. This is not a review of Pathfinder itself, aside to say that as a program it is remarkably useful on older MacOS versions (it has progressively become more unstable as Apple releases newer OS editions, however).

Instead, this is about how Cocoatech has – perhaps without realizing it, it’s unclear – opened up privacy breaches that should be pointed out, if only as a cautionary tale for developers and users alike.

The Enticement Survey

About a week ago, I received a survey from Cocoatech about my usage of Pathfinder in exchange for a 15% discount on an upgrade to the next version. This was enough of an enticement for me to complete the survey, which I did in good faith.

The survey began and ended with a request for my (registered) email address, which I gave. This is normal in the creation of surveys – you use these fields as validation criteria, and it makes a great deal of sense.

Upon clicking next, however, I was shocked to see this notification:

Wait, that was NOT the email I entered!

This is not good. This is so not good.

Remember, I had given the proper email address to Cocoatech twice. I never, ever use gmail for any software purchases (I don’t really use gmail at all, actually).

More importantly, though, there was no reason whatsoever for my “name and photo associated with my Google account” to be recorded.

My relationship is with Cocoatech, not Google. Sure enough, under Cocoatech’s privacy disclosure, they clearly stated (yes, stated, as I can no longer find the privacy statement as I write this) that they would never share or sell your information to any third party.

My Expression of Displeasure

Normally, I don’t respond to surveys, but this time I couldn’t restrain myself.

I’m writing to you to let you know that I filled out this survey, and even got the coupon code.

But I will not be using it.
In fact, I am going to remove PF from all of my computers immediately. In addition, I’m going to recommend to everyone that I have previously prompted to buy Pathfinder, to do the same.
Because upon completion of the survey, I received this unsettling notice:
The name and photo associated with your Google account will be recorded when you upload files and submit this form.”
I have not used any Google account to correspond or interact with Cocoatech, and there is absolutely no reason whatsoever for Google to interact with Cocoatech. To add insult to injury, the FAQ explains:
We don’t do anything that would infringe on your privacy. Your activity is never tracked and no information is misused. Our servers only store your user information and license key. No credit card, or payment information is stored. If you have questions or concerns, feel free to contact our support team. We take privacy seriously.
Not if you explicitly share information with an outside third party such as Google – which is notorious in its violations of privacy. This is the very definition of “misusing personal information.”
It is a terrible shame, because I had always considered Cocoatech to be one of the “good guys,” and PathFinder to be one of the most useful programs I’ve ever used in my 30+ years of using a Macintosh.
It also creates a lot of work for me, as I now have the moral responsibility of trying to undo the damage of sending people your way for your program.
Very truly yours,
J Metz

I sent it off into the ether, not really expecting a response. To my surprise, I got an email the following day.

Cocoatech’s Response

Here is what I received:


Thanks for reaching out. Let me explain how it works.

You can’t fill the survey form unless you sign in with your Google account.
If you do have a Google account, they already have your Google account name and photo which you added at some point earlier creating your account.

We do not share any information with Google.
The survey you took isn’t associated with us meaning that it looks like just another survey form, technically.

I’m sorry if it looks like we violated your privacy.
I can forward your request to our developers to remove your survey entry from the system.

I’d like to reassure you that we do take privacy seriously.

Let me know if I perhaps misunderstood you. Looking forward to your reply.

Best Regards,
Path Finder Support Team

Leaving aside the tone of “Let me explain how it works,” I do appreciate the attempt at clarification, even if it appears that Cocoatech might not quite understand the problem completely. I do not leave myself signed in to Google in my browser (not intentionally, anyway), and I was not asked to sign in using any account in order to access the survey. So, obviously there is something going on with the browser that was not under my direct control (and opens up some necessary research into what’s going on at the browser/Google interaction level).

What’s the Big Deal?

The issue here is that Cocoatech is not thinking the consequences through. As I started to think about this, I started to realize that this is not just a Cocoatech problem (they just happen to provide the easiest example). It’s broader than that.

Cocoatech obviously uses Google to provide the survey functionality that they wanted. It also appears, however, that they believe that their responsibility does not extend to what happens when they use Google to provide that survey functionality.

TL;DR: Cocoatech’s Response

The fact that the survey sends non-salient data to Google (or anyone) should have been enough to cause Cocoatech to slam on the brakes. Think about this for a second: what would Google want with that information? What does Google already know that it can augment with this information?

There is a reason why I do not want Google to have information about what software I have on my computer. Google’s privacy violations are legendary. The fact that Cocoatech waited until after I filled out the survey to let me know (and yes, they do get credit for letting me know in the first place!) is, in fact, an ethical problem.

Here’s the real issue, however. It’s highly likely that Cocoatech does not believe this is a privacy violation.

It’s not good enough, though, to simply adopt the attitude, “well, we won’t sell your info; what Google does with that info is out of our hands!”

No, it doesn’t work that way. Cocoatech is responsible for this breach of privacy and of trust. Any developer that wishes to employ a third party to satisfy customer service is responsible for what that third party does with the information.

Bottom Line

Am I overreacting? Anything is possible, but I don’t think so.

Ethics. It’s not just for college credit any more.

We are entering an era where the use of free tools available for being able to improve marketing leaves companies with a “plausible deniability” problem. Cocoatech doesn’t believe, or at the very least, doesn’t understand, that they have just sold their customers as the product to Google to use at Google’s pleasure. They seem to believe that they can absolve themselves of responsibility because they, themselves adhere to some semblance of a privacy policy.

Unfortunately, Cocoatech retains the fiduciary responsibility for ethical behavior, as they have engaged Google on their behalf. It would be the same ethical responsibility if they were to use a malicious third-party survey vendor who installed malware on their customers’ computers. The degree of the violation does not negate the violation itself.

I am saddened by the fact that Cocoatech cannot adhere to their own policies, but I’m even more frightened about the possibility that developers may not even realize that they are being unethical when they try to engage the convenience of “free” tools.