Led Down the Garden Path [Updated]

now sending your address book

Update: Path’s CEO has apologized and promised to delete any collected data. See this entry.

It’s the top story on Techmeme at this moment: the socially-networked “lifestreaming” iPhone app known as Path uploads your entire address book to its servers.

This fact was discovered by Denso developer Arun Thampi when he decided that he’d build a Mac OS X client for Path at his company’s hackathon. To do this, he decided to observe the API calls that Path made to its servers only to discover that the data for his Contacts app – names, email addresses, phone numbers – was getting HTTP POSTed to To see the the full story, be sure to read Arun’s blog entry on the matter.

Path CEO Dave Morin sent a reply to Arun, explaining that the data is used only to help users connect to their friends and family and nothing more. He also said that they “proactively rolled out an opt-in for this” on their Android client a few weeks ago and will include the same opt-in feature on the next version of the iOS client. For anyone who has the current version on their iPhone, that feature came a little too late. This is bad, and the fact that Path has recently been working on “proactive” fixes suggests that they know it.

I have Path on my phone because it’s a gorgeous app and a number of my friends and coworkers were on the network and encouraging me to take it for a spin. That means that my contact info resides on Path’s servers. A good chunk of my life is public by my own choice, so I can live with Path having my own address and phone number, but nobody else on my contacts list signed up for that. Furthermore, inclusion in my contacts list doesn’t necessarily imply that they’re someone I want in my social network graph. But Path can’t discern between my friends and family and others like my ex-wife, my local cab company or that client in Australia who just had a couple of questions. You’d think that Path would’ve learned the lessons of “Fuck You Google”, in which a woman wrote about how Gmail overshared her info with her abusive ex-husband.

It’s an even bigger problem in the case of celebrities, who presumably have other celebs’ numbers in their on-phone Rolodexes. Take a look at this tweet from Alyssa Milano:

The response, by the way:

And did it also upload my notes about people? (Yes, I’m one of those people who actually uses the “Notes” field in Contacts. For business contacts, it’s all part of the schmooze; for friends and family, it’s so I remember things like their likes, dislikes, birthdays, anniversaries and other little things.)

In the comments to Arun’s article, iOS developer Matt Gemmell suggests the following to Dave Morin:

Why are you uploading the actual address book data, rather than (say) generating hashes of the user’s email addresses locally, then uploading just those hashes? You’d be able to do friend-finding that way, and similarly if you uploaded hashes of all email addresses in the user’s address book, you’d be able to do your notifications of when a friend joins. At no point would your servers ever need to see the actual email addresses or phone numbers from our contacts.

He also points out that sending the entire Contacts database to their servers may be a violation of the App Store’s terms and conditions. In fact, section 17.1 of that T&C states:

17.1: Apps cannot transmit data about a user without obtaining the user’s prior permission and providing the user with access to information about how and where the data will be used.

Dave Morin’s been firefighting ever since the news about Path got out. He’s stayed on message with the “we’re not trying to be evil here” line, but with the faith in Google’s “Don’t be evil” mantra pretty much gone, it’s not very reassuring. On the bright side, he has made it clear that if you want your address book and even your Path account deleted from their servers, you have but to send an email to

Update (February 8, 2012): Mike Arrington has put online what I’d been thinking (but didn’t think Path would ever do without a lot of pressure): they should simply delete all the address book data they pulled. It would be an excellent goodwill gesture; let’s see if they take up his suggestion.

(Little hint, Dave: if you keep overusing “proactive” and “proactively” the way you have in your responses and tweets, it becomes a filler word, like “um” and “uh”. Especially when such “proactivity” seems limited to stating that you’re not doing anything wrong.)

There’s been some freaking out over Path in the comments for Arun’s blog entry as well as in other venues online, but it’s time to let cooler heads prevail. Let’s see what Path does in the next 48 hours – as Arun himself puts it, “I hope we can keep calm and continue to discuss this sensibly”.

If you’re developing software that makes use of people’s personal info, let this be a lesson!


The Shopify Fund, Explained

"The Shopify Fund, Explained": stacks of $100 bills arranged into an "S" shape

Shopify, its API and the App Ecosystem

Every now and again, I get asked this question: “Okay, I’ve heard of Shopify, but what does Shopify actually do?” The answer I give depends on who’s asking:

  • The shortest, quickest, clearest, layperson-friendliest answer is something along the lines of “Shopify is a web app that lets you run your own online shop.”
  • I tell people interested in selling stuff online (as well as people whose inclinations are more towards business) that the stores for Angry Birds, Epic Meal Time, Evisu Jeans, Foo Fighters, General Electric, LMFAO, Penny Arcade and Pixar are all powered by Shopify.
  • And finally, for more technically-inclined people, I say “It’s an easy-to-use, themeable hosted ecommerce platform that’s extensible through an API.”

Let talk about Shopify’s API. It lets you write apps that add functionality to or extend the capabilities of a shop. Most of the things that a shopowner can do from the admin panel can be done programmatically via the API; the API also makes it possible for you to get information from a shop so that you can integrate it with other services. You can write an app that will be used only by your shop, or you can write one for use by any shop, which you can sell to shopowners at the App Store.

The API designed to be simple and straightforward. You can call it using either XML or JSON, and it exposes different parts of a shop – such as products (things you sell in a shop), orders (orders placed by customers) and collections (groups of products within a shop) – as resources, each with its own URL and you manipulate the resources using the HTTP verbs GET, POST, PUT and DELETE. We’ve made it as RESTful as possible.

Screenshot of the Shopify App StoreWhat sort of apps have been written? There are about 100 in the App Store, and they do all sorts of things. Apps that have been featured recently on the Shopify Blog and Shopify Technology Blog include:

The Fund

Last month, Shopify landed a sweet $15 million in series B funding, which we’re using to grow the company in all sorts of ways:

  • Some of it will be used to hire the best developers, designers and businesspeople out there.
  • Some of it will be used to fund strategic partnerships and make some acquisitions.
  • Some of it – one million dollars’ worth – will be used to create the Shopify Fund.

"Dr. Evil" from "Austin Powers", touching his lips with his pinky

That’s right, it’s one. Meeeellion. Dollars.

The purpose of the Fund is to encourage the development of Shopify apps. Apps make everyone happy:

  • Shopowners: because they extend the capabilities of their shops.
  • Customers: because when a shop is running well, they get the stuff they want.
  • You, the developer: because you write software for a living.

Joey deVilla on CTV News with the caption "Joey deVilla: Internet Software Developer"

Not only was I a software developer, I played one on TV!

Most of us at Shopify, myself included, come from a development background, and we’ve all done freelance and contract work. We know what it’s like to worry about where this month’s rent is coming from and to juggle and prioritize clients. Wouldn’t it be nice if you had a nice big client that paid you enough to concentrate full-time on a single project?

We want to be that big client! We created this fund to create a mutually beneficial arrangement: you get paid enough to work full-time on a Shopify app for a few weeks without having to take on other contracts and still make a living, and we get apps that extend the capabilities of our platform.

How Much Money are We Talking About Here?

Jack Nicholson's "Joker", dancing in a storm of bills

We expect that most of the projects will range from a couple of weeks’ to a couple of months’ worth of work. We’re looking at a ballpark figure of about $5,000 – $10,000 per app. The amount will vary with the scope and complexity of your project.

How Do You Get In on Some of This Action?

Screen capture of the Shopify Fund page

There are two ways that you can get in on the Shopify Fund:

  1. If you’re a developer with an idea for an app and we think it’s a good one, we’ll pay you to develop it.
  2. If you’re a developer with the talent to build apps but no idea of what to write, take a look at our App Wishlist and see if there’s an app idea you’d like to implement. If you can prove to us that you can deliver, we’ll pay you to develop it.

If you fall into either one of these categories and would like to get funded, visit the Shopify Fund page and fill out the form. We’re accepting submissions until Wednesday, November 30th.

After the submissions close on November 30th, we’ll spend December and a little bit of January reviewing the submissions. App development and funding will start around mid-January.

What Happens If You Get Funded?

A scattered pile of $100 bills

I like to describe the funding as being "like the advances paid to book authors, but nicer".

Suppose your app gets selected (or you get selected to write an app) and we decide to fund your project with $5,000. Here’s what happens:

  1. At the start of the project, we’ll pay you the first half of the “advance”. In this example, that amount is $2,500.
  2. You work on your app. We’ll check in with you regularly during this time.
  3. When the app’s done, you’ll get the second half of the “advance” — the other $2,500.
  4. Your app goes into the Shopify App Store. For every sale of the app, the revenue share between you and Shopify will be 50/50; you receive 50% and we receive 50%. This 50/50 revenue sharing will continue until Shopify’s total of the 50% share equals the advance we gave you (or in other words, until your app rakes in a total of $10,000).
  5. Once our 50% share is equal to the advance we gave you, the revenue share changes to Shopify’s standard 80/20 ratio for sales in the Shopify App Store: you receive 80% and we receive 20%.

See what I mean by “like a literary advance, but better”? With a literary advance, you don’t earn any money until your sales have paid off the advance. With the Shopify Fund, you’re always taking in money, even while you’re “paying off the advance”.

How Do I Find Out More?

If you have any questions or comments, please feel free to drop us a line at! We’d be very happy to answer your questions.

This article also appears in the Shopify Technology Blog.


Featured Shopify App: Kwantify QR Campaign Manager

Welcome to another Featured Shopify App article, where we put the spotlight on a Shopify app and ask its creators about what it does, what its features are and why shopowners should use it. We plan to do this for every app in our App Store, to make sure that shopowners know about all the goodies available to them and to make rock stars out of the developers who build apps on the Shopify platform!

Today’s featured app: Kwantify’s QR Campaign Manager.

What does Kwantify QR Campaign Manager do?

Kwantify’s QR Campaign Manager application is designed to take advantage of the explosive growth in popularity of QR codes as a tool to drive mobile users to online websites. With this application you can quickly and easily generate QR codes that link to any aspect of your Shopify storefront. These codes can be generated in any size and your choice of Black, Purple or Red and are easily downloaded to be printed in your offline marketing initiatives.

Sometime before the holiday season we will be launching version 2.0, a free upgrade for existing users that will bring enhanced features and more customizable elements including location aware reporting (and that’s all I’m going to say on that:).

What are the key features of your app?

The Key feature of Kwantify’s QR Campaign Manager is that it’s easy to use interface and Code image customization options. Shopify retailers can setup a campaign linking to any product, category, blog of custom page in just three easy steps.  QR codes can be generated in any size need and 3 different colours.

When scanned by a mobile QR code reader, the user is redirected to the specified page while prompting the user to share their location.  When shared, Kwantify logs the time and location of the scan resulting in a clear picture of the campaign success.

Why should shopowners use your app?

Any Shopify retailer that uses printed marketing material should use this app to create scannable codes to add to the offline marketing material.  QR Code readers are quickly becoming the “must have” application for the mobile device with more and more handset makers building them into their next generation mobile devices.

Tell us a little bit about yourself.

We started Kwantify in July of 2001 shortly after becoming Shopify and launching, a digital content download store featuring the life’s work of world famous speed and strength coach, the late great Charlie Francis.  We started to tinker with Shopify’s API interface and were instantly hooked!  We quickly came up with a list of potential applications that would make our experience as a online retailer better so we decided to go for it.

Kwantify is dedicated to building sleek, easy to use application that we, as a Shopify retailer would use ourselves to grow our business and offer them to other likeminded Shopify retailer’s at a fair price and with great support.  We want to listen to our customers and help them achieve their online goals both easily and cost effectively.

Where did you get the idea for your app?

We got the idea for our app when we launched a business built on Shopify’s e-commerce platform of our own. We wanted to offer our customers an easy to use tool to take advantage of the explosive popularity of QR codes as a means to interact online with offline marketing campaigns.  The team at Kwantify is quickly getting addicted to snapping a scan of QR codes we see everyday living in Vancouver, BC Canada.  From ads in the newspaper to billboards and posters on the Skytrain, QR codes are popping up everywhere and it is clear the mobile public is eating it up! On our own Shopify website, we have utilized QR codes in all our printed marketing materials and the response is impressive!

Where can I find out more about Kwantify QR Campaign Manager?

You can find out more about Kwantify QR Campaign Manager on its page in the Shopify App Store.

Kwantify also have another app in the store: Kwantify Contact Manager, a contact management tool that captures and processes customer inquiries received from your Shopify storefront.

This article also appears in the Shopify Technology Blog.


Featured Shopify App: Wishpot Button

Wishpot logo

Wishpot is a registry system that lets you create wish lists — wedding registries, honeymoon registries, baby registries, gift idea lists or “here’s some stuff I’d like to have” lists — any kind of list where you invite people to participate in gift-giving. Wishpot has a twist that other registry sites don’t have: it’s universal, and lets you include items from any store.

Wishpot team 2 The Wishpot/Venpop Team.

Wishpot is a Seattle-based company with two brands: Wishpot for consumers and Venpop for business-to-business. They’ve been in business since 2007 building their wishlist platform for the web and in 2010, they introduced their social commerce apps space, now under the Venpop brand.

We invited them to tell us a little more about their Shopify app, Wishpot Button, its features, and how they built it.

What does Wishpot Button do?

Wishpot button icon

Wishpot is the leading universal wishlist service that works with any store.  For shoppers, this means they no longer need to keep track of different wish lists at different websites.  Wishpot provides additional features to keep users engaged year-round – birthday reminders, deal alerts, cash contributions, social sharing features, ecards, and much more.  For store owners, this means less abandonment of wishlists and increased activity on items that have been added to the lists because of the engaging feature set.  This is a free service for both stores and users.

What are the key features of your app?

  • Adds a universal wish list and registry – for example baby and wedding – to your shop
  • Price alerts bring back your customers when prices change on your store
  • Cash Contributions functionality makes it easier to buy your more expensive items
  • Social sharing and ecards allow your customers to easily share their list and get your products discovered
  • Get reporting, in store support, custom branding, experts and much more with the easy upgrade to the white label version

Why should shopowners use this app?

This enables any shop owner to instantly make each product easy to add to a wish list or registry.  It is incredibly easy to install, it does not cost anything, it provides a great service to your customers, and above all drives users and potential customers back to your shop.

Where did you get the idea for your app?

We had several Shopify customers ask to integrate our services with Shopify and after a few conversations with the great guys at Shopify, so we decided it was the time to pull the trigger and start developing some great apps. The Wishpot and Venpop technologies are a perfect extension to the already fantastic Shopify experience.

How long did it take for you to build the app?

The main app was built in about a week, though we revised and simplified it over the course of several more weeks.  The hardest thing to get accustomed to up front was “where” the app runs.  Although the main Wishpot site is built in C# and .NET, we decided to build the app in Ruby and Rails on Heroku due to it’s more extensive use and testing with the Shopify ecosystem.  We then needed to ask a few forum questions about the ScriptTag features, because we really wanted people to be able to install the “add to wishpot” button without having to edit a liquid template, and the scripttag feature enabled us to build that experience.

In order to enable Venpop technologies (this is an update that’s coming to the app in the next few days) we then had to add some additional features to link our .NET-based service to the Ruby-based service, which we’re able to accomplish via oauth and the RESTful apis both platforms provide.  So, when a user authorizes the app, their access token is also sent back to our .NET services, so that Venpop’s product feed processing engine has access to the catalog.  That way, if someone signs up for Venpop Social Commerce, we’ll have access to their storefront to monitor it for changes, tweet new deals, etc.

How can we find you online?

Web: |

Twitter: @wishpot | @venpophq


Where can I find out more about Wishpot button?

Wishpot button icon

You can find out more about Wishpot Button on its page in the Shopify App Store.

This article also appears in the Shopify Technology Blog.