404 Media

2025-09-30 13:36:40

Google Just Removed Seven Years of Political Advertising History from 27 Countries

Google’s Ad Transparency tool no longer shows political online advertisements that ran on its platforms, in the past or present, from any countries in the European Union, making seven years of data from 27 different countries inaccessible.

Liz Carolan, who publishes Irish technology and politics newsletter The Briefing, spotted the change on September 28. Carolan noticed that until last week, Google’s Ad Transparency tool would allow visitors to search ads that have run in countries in the EU going back to 2018, including data about who was targeted, how much was spent on each ad, and for what candidates or parties. This week, political ads from Ireland as well as the other 26 countries in the EU are gone from the Ad Transparency political ads country selection page.

“We had been told that Google would try to stop people placing political ads, a ‘ban’ that was to come into effect this week. I did not read anywhere that this would mean the erasure of this archive of our political history,” Carolan wrote.

The change is in response to the EU’s upcoming Regulation on Transparency and Targeting of Political Advertising (TTPA), a law set to enter full force on October 10. The TTPA lays out new regulations for advertisers in the EU, including requirements that political ads “must be clearly labelled as such and include information on who paid for it, to which election, referendum, legislative or regulatory process it is linked and whether targeting or ad-delivery techniques have been used,” according to an EU summary of the law, and limits targeting and ad delivery of political advertising to strict conditions, including requiring consent from ads’ targets that their data be used for political advertising. Certain categories of demographic data, like racial or ethnic origin or political opinions, can’t be used for profiling by advertisers.

On August 5, Google posted new guidelines for political ads in EU countries, and said that past ads would still be accessible in the Transparency Center: “As of September 2025, the EU Political Ads Transparency report will be no longer available. However, EU Election Ads previously shown in the Political Ads Transparency Report will remain publicly accessible in the Ads Transparency Center, subject to retention policies.”

In July, Meta also announced it would no longer allow “political, electoral and social issue ads” on its platforms in the EU, “given the unworkable requirements and legal uncertainties” introduced by the TTPA. Past ads from the EU are still visible on Meta’s ad library.

The law dictates that online ads will be available in “an online European repository,” but that repository hasn’t launched yet. Researchers and journalists rely on tools like Google’s Ad Transparency platform and Meta’s similar platform for information on who was running political ads and how; now, they’ll have to wait for that repository to launch.

Google announced in November 2024 that it would stop serving political ads in the EU in October 2025, ahead of the TTPA. “Additionally, paid political promotions, where they qualify as political ads under the TTPA, will no longer be permitted on YouTube in the EU,” Google’s Vice President for Government Affairs and Public Policy for Europe Annette Kroeber-Riel wrote in a company blog post.

“The European Union’s upcoming Regulation on Transparency and Targeting of Political Advertising (TTPA) unfortunately introduces significant new operational challenges and legal uncertainties for political advertisers and platforms,” Kroeber-Riel wrote. “For example, the TTPA defines political advertising so broadly that it could cover ads related to an extremely wide range of issues that would be difficult to reliably identify at scale. There is also a lack of reliable local election data permitting consistent and accurate identification of all ads related to any local, regional or national election across any of 27 EU Member States. And key technical guidance may not be finalized until just months before the regulation comes into effect.” The law is vague, but doesn’t specifically require platforms to delete past ads. It’s likely that many of the ads stored by Google in the Transparency Center would be in violation of the law today, however; instead of combing through hundreds of thousands of ads, it’s possible Google just removed the entire EU.

Google did not respond to 404 Media’s request for comment.
playlist.megaphone.fm?p=TBIEA2…

An update on political advertising in the European Union

Google will stop serving political advertising in the EU ahead of new regulation in October 2025.

^{Annette Kroeber-Riel (Google)}

404 Media

2025-09-30 13:03:31

18 Lawyers Caught Using AI Explain Why They Did It

Earlier this month, an appeals court in California issued a blistering decision and record $10,000 fine against a lawyer who submitted a brief in which “nearly all of the legal quotations in plaintiff’s opening brief, and many of the quotations in plaintiff’s reply brief, are fabricated” through the use of ChatGPT, Claude, Gemini, and Grok. The court said it was publishing its opinion “as a warning” to California lawyers that they will be held responsible if they do not catch AI hallucinations in their briefs.

In that case, the lawyer in question “asserted that he had not been aware that generative AI frequently fabricates or hallucinates legal sources and, thus, he did not ‘manually verify [the quotations] against more reliable sources.’ He accepted responsibility for the fabrications and said he had since taken measures to educate himself so that he does not repeat such errors in the future.”

As the judges remark in their opinion, the use of generative AI by lawyers is now everywhere, and when it is used in ways that introduce fake citations or fake evidence, it is bogging down courts all over America (and the world). For the last few months, 404 Media has been analyzing dozens of court cases around the country in which lawyers have been caught using generative AI to craft their arguments, generate fictitious citations, generate false evidence, cite real cases but misinterpret them, or otherwise take shortcuts that has introduced inaccuracies into their cases. Our main goal was to learn more about why lawyers were using AI to write their briefs, especially when so many lawyers have been caught making errors that lead to sanctions and that ultimately threaten their careers and their standings in the profession.

To do this, we used a crowdsourced database of AI hallucination cases maintained by the researcher Damien Charlotin, which so far contains more than 410 cases worldwide, including 269 in the United States. Charlotin’s database is an incredible resource, but it largely focuses on what happened in any individual case and the sanctions against lawyers, rather than the often elaborate excuses that lawyers told the court when they were caught. Using Charlotin’s database as a starting point, we then pulled court records from around the country for dozens of cases where a lawyer offered a formal explanation or apology. Pulling this information required navigating clunky federal and state court record systems and finding and purchasing the specific record where the lawyer in question tried to explain themselves (these were often called “responses to order to show cause.”) We also reached out to lawyers who were sanctioned for using AI to ask them why they did it. Very few of them responded, but we have included explanations from the few who did.

What we found was incredibly fascinating, and reveals a mix of lawyers blaming IT issues, personal and family emergencies, their own poor judgment and carelessness, and demands from their firms and the industry to be more productive and take on more casework. But most often, they simply blame their assistants.

Few dispute that the legal industry is under great pressure to use AI. Legal giants like Westlaw and LexisNexis have pitched bespoke tools to law firms that are now regularly being used, but Charlotin’s database makes clear that lawyers are regularly using off-the-shelf generalized tools like ChatGPT and Gemini as well. There’s a seemingly endless number of startups selling AI legal tools that do research, write briefs, and perform other legal tasks. While working on this article, it became nearly impossible to keep up with new cases of lawyers being sanctioned for using AI. Charlotin has documented 11 new cases within the last week alone.

This article is the first of several 404 Media will write exploring the use of AI in the legal profession. If you’re a lawyer and have thoughts or firsthand experiences, please get in touch. Some of the following anecdotes have been lightly edited for clarity.

💡
Are you a lawyer or do you work in the legal industry? We want to know how AI is impacting the industry, your firm, and your job. Using a non-work device, you can message me securely on Signal at jason.404. Otherwise, send me an email at jason@404media.co.

A lawyer in Indiana blames the court (Fake case cited)

A judge stated that the lawyer “took the position that the main reason for the errors in his brief was the short deadline (three days) he was given to file it. He explained that, due to the short timeframe and his busy schedule, he asked his paralegal (who once was, but is not currently, a licensed attorney) to draft the brief, and did not have time to carefully review the paralegal's draft before filing it.”

A lawyer in New York blamed vertigo, head colds, and malware

"He acknowledges that he used Westlaw supported by Google Co-Pilot which is an artificial intelligence-based tool as preliminary research aid." The lawyer “goes on to state that he had no idea that such tools could fabricate cases but acknowledges that he later came to find out the limitation of such tools. He apologized for his failure to identify the errors in his affirmation, but partly blames ‘a serious health challenge since the beginning of this year which has proven very persistent which most of the time leaves me internally cold, and unable to maintain a steady body temperature which causes me to be dizzy and experience bouts of vertigo and confusion.’ The lawyer then indicates that after finding about the ‘citation errors’ in his affirmation, he conducted a review of his office computer system and found out that his system was ‘affected by malware and unauthorized remote access.’ He says that he compared the affirmation he prepared on April 9, 2025, to the affirmation he filed to [the court] on April 21, 2025, and ‘was shocked that the cases I cited were substantially different.’”

A lawyer in Florida blames a paralegal and the fact they were doing the case pro bono (Fake cases and hallucinated quotes)

The lawyer “explained that he was handling this appeal pro bono and that as he began preparing the brief, he recognized that he lacked experience in appellate law. He stated that at his own expense, he hired ‘an independent contractor paralegal to assist in drafting the answer brief.’ He further explained that upon receipt of a draft brief from the paralegal, he read it, finalized it, and filed it with this court. He admitted that he ‘did not review the authority cited within the draft answer brief prior to filing’ and did not realize it contained AI generated content.

A lawyer in South Carolina said he was rushing (Fake cases generated by Microsoft CoPilot)

“Out of haste and a naïve understanding of the technology, he did not independently verify the sources were real before including the citations in the motion filed with the Court seeking a preliminary injunction”

A lawyer in Hawaii blames a New Yorker they hired

This lawyer was sanctioned $100 by a court for one AI-generated case, as well as quoting multiple real cases and misattributing them to that fake case. They said they had hired a per-diem attorney—“someone I had previously worked with and trusted,” they told the court—to draft the case, and though they “did not personally use AI in this case, I failed to ensure every citation was accurate before filing the brief.” The Honolulu Civil Beat reported that the per-diem attorney they hired was from New York, and that they weren’t sure if that attorney had used AI or not.

The lawyer told us over the phone that the news of their $100 sanction had blown up in their district thanks to that article. “ I was in court yesterday, and of course the [opposing] attorney somehow brought this up,” they said in a call. According to them, that attorney has also used AI in at least seven cases. Nearly every lawyer is using AI to some degree, they said; it’s just a problem if they get caught. “The judges here have seen it extensively. I know for a fact other attorneys have been sanctioned. It’s public, but unless you know what to search for, you’re not going to find it anywhere. It’s just that for some stupid reason, my matter caught the attention of a news outlet. It doesn’t help with business.”

A lawyer in Arizona blames someone they hired

A judge wrote “this is a case where the majority of authorities cited were either fabricated, misleading, or unsupported. That is egregious … this entire litigation has been derailed by Counsel’s actions. The Opening Brief was replete with citation-related deficiencies, including those consistent with artificial intelligence generated hallucinations.”

The attorney claimed “Neither I nor the supervising staff attorney knowingly submitted false or non-existent citations to the Court. The brief writer in question was experienced and credentialed, and we relied on her professionalism and prior performance. At no point did we intend to mislead the Court or submit citations not grounded in valid legal authority.”

A lawyer in Louisiana blames Westlaw (a legal research tool)

The lawyer “acknowledge[d] the cited authorities were inaccurate and mistakenly verified using Westlaw Precision, an AI-assisted research tool, rather than Westlaw’s standalone legal database.” The lawyer further wrote that she “now understands that Westlaw Precision incorporates AI-assisted research, which can generate fictitious legal authority if not independently verified. She testified she was unable to provide the Court with this research history because the lawyer who produced the AI-generated citations is currently suspended from the practice of law in Louisiana:

“In the interest of transparency and candor, counsel apologizes to the Court and opposing counsel and accepts full responsibility for the oversight. Undersigned counsel now understands that Westlaw Precision incorporates AI-assisted research, which can generate fictitious legal authority if not independently verified. Since discovering the error, all citations in this memorandum have been independently confirmed, and a Motion for Leave to amend the Motion to Transfer has been filed to withdraw the erroneous citations. Counsel has also implemented new safeguards, including manual cross-checking in non AI-assisted databases, to prevent future mistakes.”

“At the time, undersigned counsel understood these authorities to be accurate and reliable. Undersigned counsel made edits and finalized the pleading but failed to independently verify every citation before filing it. Undersigned counsel takes responsibility for this oversight.

Undersigned counsel wants the Court to know that she takes this matter extremely seriously. Undersigned counsel holds the ethical obligations of our profession in the highest regard and apologizes to opposing counsel and the Court for this mistake. Undersigned counsel remains fully committed to the ethical obligations as an officer of the court and the standards expected by this Court going forward, which is evidenced by requesting leave to strike the inaccurate citations. Most importantly, undersigned counsel has taken steps to ensure this oversight does not happen again.”

A lawyer in New York says the death of their spouse distracted them

“We understand the grave implications of misreporting case law to the Court. It is not our intention to do so, and the issue is being investigated internally in our office,” the lawyer in the case wrote.

“The Opposition was drafted by a clerk. The clerk reports that she used Google for research on the issue,” they wrote. “The Opposition was then sent to me for review and filing. I reviewed the draft Opposition but did not check the citations. I take full responsibility for failing to check the citations in the Opposition. I believe the main reason for my failure is due to the recent death of my spouse … My husband’s recent death has affected my ability to attend to the practice of law with the same focus and attention as before.”

A lawyer in California says it was ‘a legal experiment’

This is a weird one, and has to do with an AI-generated petition filed three times in an antitrust lawsuit brought against Apple by the Coronavirus Reporter Corporation. The lawyer in the case explained that he created the document as a “legal experiment.” He wrote:

“I also ‘approved for distribution’ a Petition which Apple now seeks to strike. Apple calls the Petition a ‘manifesto,’ consistent with their five year efforts to deride us. But the Court should be aware that no human ever authored the Petition for Tim Cook’s resignation, nor did any human spend more than about fifteen minutes on it. I am quite weary of Artificial Intelligence, as I am weary of Big Tech, as the Court knows. We have never done such a test before, but we thought there was an interesting computational legal experiment here.

Apple has recently published controversial research that AI LLM's are, in short, not true intelligence. We asked the most powerful commercially available AI, ChatGPT o3 Pro ‘Deep Research’ mode, a simple question: ‘Did Judge Gonzales Rogers’ rebuke of Tim Cook’s Epic conduct create a legally grounded impetus for his termination as CEO, and if so, write a petition explaining such basis, providing contextual background on critics’ views of Apple’s demise since Steve Jobs’ death.’ Ten minutes later, the Petition was created by AI. I don't have the knowledge to know whether it is indeed 'intelligent,' but I was surprised at the quality of the work—so much so that (after making several minor corrections) I approved it for distribution and public input, to promote conversation on the complex implications herein. This is a matter ripe for discussion, and I request the motion be granted.”

Lawyers in Michigan blame an internet outage

“Unfortunately, difficulties were encountered on the evening of April 4 in assembling, sorting and preparation of PDFs for the approximately 1,500 pages of exhibits due to be electronically filed by Midnight. We do use artificial intelligence to supplement their research, along with strict verification and compliance checks before filing.

AI is incorporated into all of the major research tools available, including West and Lexis, and platforms such as ChatGPT, Claude, Gemini, Grok and Perplexity. [We] do not rely on AI to write our briefs. We do include AI in their basic research and memorandums, and for checking spelling, syntax, and grammar. As Midnight approached on April 4, our computer system experienced a sudden and unexplainable loss of internet connection and loss of connection with the ECF [e-court filing] system … In the midst of experiencing these technical issues, we erred in our standard verification process and missed identifying incorrect text AI put in parentheticals in four cases in footnote 3, and one case on page 12, of the Opposition.”

Lawyers in Washington DC blame Grammarly, ProWritingAid, and an IT error

“After twenty years of using Westlaw, last summer I started using Lexis and its protege AI product as a natural language search engine for general legal propositions or to help formulate arguments in areas of the law where the courts have not spoken directly on an issue. I have never had a problem or issue using this tool and prior to recent events I would have highly recommended it. I failed to heed the warning provided by Lexis and did not double check the citations provided. Instead, I inserted the quotes, caselaw and uploaded the document to ProWritingAid. I used that tool to edit the brief and at one point used it to replace all the square brackets ( [ ) with parentheses.

In preparing and finalizing the brief, I used the following software tools: Pages with Grammarly and ProWritingAid ... through inadvertence or oversight, I was unaware quotes had been added or that I had included a case that did not actually exist … I immediately started trying to figure out what had happened. I spent all day with IT trying to figure out what went wrong.”

A lawyer in Texas blames their email, their temper, and their legal assistant

“Throughout May 2025, Counsel's office experienced substantial technology related problems with its computer and e-mail systems. As a result, a number of emails were either delayed or not received by Counsel at all. Counsel also possesses limited technological capabilities and relies on his legal assistant for filing documents and transcription - Counsel still uses a dictation phone. However, Counsel's legal assistant was out of the office on the date Plaintiffs Response was filed, so Counsel's law clerk had to take over her duties on that day (her first time filing). Counsel's law clerk had been regularly assisting Counsel with the present case and expressed that this was the first case she truly felt passionate about … While completing these items, Counsel's law clerk had various issues, including with sending opposing counsel the Joint Case Management Plan which required a phone conference to rectify. Additionally, Counsel's law clerk believed that Plaintiff’s Response to Defendant's Motion to Dismiss was also due that day when it was not.

In midst of these issues, Counsel - already missing his legal assistant - became frustrated. However, Counsel's law clerk said she had already completed Plaintiff's Response and Counsel immediately read the draft but did not thoroughly examine the cases cited therein … unbeknownst to Counsel and to his dismay, Counsel's law clerk did use artificial intelligence in drafting Plaintiff's Response. Counsel immediately instituted a strict policy prohibiting his staff from using artificial intelligence without exception - Counsel doesn't use artificial intelligence, so neither shall his staff.

Second, Counsel now requires any staff assisting in drafting documents to provide Counsel with a printout of each case cited therein with the passage(s) being relied on highlighted or marked.”

The lawyer also submitted an invoice from a company called Mainframe Computers for $480 which include line items for “Install office,” “printer not working and computer restarting,” “fixes with email and monitors and default fonts,” and “computer errors, change theme, resolution, background, and brightness.”

This post is for subscribers only

Become a member to get access to all content
Subscribe now

18 Lawyers Caught Using AI Explain Why They Did It

^{Jason Koebler (404 Media)}

404 Media

2025-09-29 19:06:57

Reddit Mods Sued by YouTuber Ethan Klein Fight Efforts to Unmask Them

This article was produced in collaboration with Court Watch, an independent outlet that unearths overlooked court records.Subscribe to them here.

Critics of YouTuber Ethan Klein are pushing back on subpoenas that would reveal their identities as part of an ongoing legal fight between Klein and his detractors. Klein is a popular content creator whose YouTube channel has more than 2 million subscribers. He’s also involved in a labyrinthine personal and legal beef with three other content creators and the moderators of a subreddit that criticises his work. Klein filed a legal motion to compel Discord and Reddit to reveal the identities of those moderators, a move their lawyers say would put them in harm’s way and stifle free speech on the internet forever.

Klein is most famous for his H3 Podcast and collaborations with Hasan Piker and Trisha Paytas which he produced through his company Ted Entertainment Inc. Following a public falling out with Piker, Klein released a longform video essay critiquing his former podcast partner. As often happens with long video essays about YouTube drama, other content creators filmed themselves watching Klein’s essay.
playlist.megaphone.fm?p=TBIEA2…
These are called “reaction” videos and they’re pretty common on YouTube. Klein sued three creators—Frogan, Kaceytron, and Denims—calling their specific reaction videos low effort copyright infringement. As part of the lawsuit, he also went after the moderation team of the r/h3snark subreddit—a board on Reddit that critiques Klein and had shared the Denims video as part of a thread about Klein’s Piker essay.

On July 31, a judge allowed Klein’s lawyers to file a subpoena with Reddit and Discord that would reveal the identities of the people running r/h3snark and an associated Discord server. On September 22, lawyers for the defendants filed a motion to quash the subpoenas.

“On its face, the Action is about copyright infringement,” the latest filing said. “At its heart, however, the Action is about stifling criticism and seeking retribution by unmasking individuals for perceived reputational harms TEI [Klein’s production company] attributes to [John Doe moderators] unrelated to TEI’s intellectual property rights.”

The defendants’ lawyers said the subpoena to unmask moderators should be quashed because Klein can’t prove his case of copyright infringement, but also because revealing such information could put the Does’ in harm’s way. “The balance of equities weighs in favor of Does’ anonymity and quashing TEI’s Subpoenas in their entirety,” the filing said.

As evidence of the danger faced by the Does, the court filing quoted Klein directly. “Listen, guys, at this point you [r/h3snark mods] are totally fucked,” Klein said on a podcast, according to the court filing. “There’s a subpoena that’s going to come. You can’t erase your data. We’re going to get your IP address and find your information.”

“If there’s any justice in the world [the h3snark mods] will lose everything that they care about and I will be the one who makes them lose those things […] through legal means. Through any legal means,” he said, according to the court filing.

The defendants' lawyers paint a grim picture of what might happen should Klein’s subpoenas succeed: they “fear potentially being attacked, or worse, killed, over moderating a subreddit,” the filing said. “These worries extend to all family and friends connected to Does. Does fear their professional lives being ruined, potential sexual violence, extortion, fans showing up to their home, and endless years of harassment due to Ethan’s prolific lies surrounding them. The target he has painted on the moderators would make it unsafe to live openly in any capacity. Some Does also have heightened risk of retaliatory harm due to their religious identities. If their real names are revealed, these Does—and their families—face a real risk of being doxed, stalked, or harassed, as has happened to others in similar situations. In this climate, unmasking Does would expose them to significant and unjustified danger.”

Personal safety wasn’t the only legal argument the moderator’s lawyers put forward. A key part of Klein’s claim is that the Does violated his copyright by hosting links on r/h3snark of other streamers reacting to his video “Content Nuke—Hasan Piker.” His legal case is built around going after content creators for making “low effort” content using his work, but also the anonymous people on Reddit who shared links of those videos.

“The next question is whether creating a discussion thread, which includes a link to a streamer’s channel, where the streamer reacts to a live broadcast while providing her own commentary and criticism, and users visiting the thread engage in their own debate about the live broadcast and reactions thereto, constitutes contributory infringement,” the filing said. “It does not.”

The lawyers also argued that a Reddit “megathread”—a common practice where the moderators of a subreddit create one single space on a board for people to talk about a specific top—are fair use, that the reaction videos were transformative and should be considered fair use, and that the reaction videos increased the public’s exposure to Klein’s video.

💡
Do you know anything else about this story? I would love to hear from you. Using a non-work device, you can message me securely on Signal at +1 347 762-9212 or send me an email at matthew@404media.co.

At the end of the filing, the lawyers returned again to the personal safety of the moderators. They argued that even if Klein’s claim of copyright infringement met the burden of proof, and the lawyers don’t believe it does, the balance of harms is in favor of the moderators. “The personal harms to Does by allowing unmasking, as well as the public harms to online speech and discourse generally, would be irreparable in the private sense and long-reaching in the public sense,” the filing said.

The anonymity of places like Reddit and Discord grant a layer of protection to people seeking to critique power. This case could set a dangerous precedent, the lawyers believe. “If the court allows TEI’s Subpoenas, it would enable TEI to impose a considerable price on Does’ use of the vehicle of anonymous speech—including public exposure, real risks of retaliation and actual harm, and the financial and other burdens of defending the Action,” the filing said.

The filing added: “Very few would-be commentators are prepared to bear costs of this magnitude. So, when word gets out that the price tag of criticizing Ethan is this high—that speech will disappear. But that is precisely what Ethan Klein wants.”

Court Watch

The Definitive Source for Legal News

^{Court Watch}

404 Media

2025-09-29 14:53:21

Landlords Demand Tenants’ Workplace Logins to Scrape Their Paystubs

Landlords are using a service that logs into a potential renter’s employer systems and scrapes their paystubs and other information en masse, potentially in violation of U.S. hacking laws, according to screenshots of the tool shared with 404 Media.

The screenshots highlight the intrusive methods some landlords use when screening potential tenants, taking information they may not need, or legally be entitled to, to assess a renter.

“This is a statewide consumer-finance abuse that forces renters to surrender payroll and bank logins or face homelessness,” one renter who was forced to use the tool and who saw it taking more data than was necessary for their apartment application told 404 Media. 404 Media granted the person anonymity to protect them from retaliation from their landlord or the services used.

💡
Do you know anything else about any of these companies or the technology landlords are using? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at joseph@404media.co.

“I am livid,” they added.

This post is for subscribers only

Become a member to get access to all content
Subscribe now

Landlords Demand Tenants’ Workplace Logins to Scrape Their Paystubs

^{Joseph Cox (404 Media)}

404 Media

2025-09-29 13:00:05

How Ruby Went Off the Rails

For the past couple of weeks, a community of developers who use the programming language Ruby have been closely following a dramatic change in ownership of some of the most essential tools in its ecosystem with far reaching impacts for the worldwide web.

If you’re not familiar with Ruby or the open source development community, you probably haven’t heard about any of this, but the tools in question serve as critical infrastructure for gigantic internet services like GitHub, Shopify, and others, so any disruption to them would be catastrophic to those companies, their users, and vast swaths of the internet.

On September 19, Ruby Central, a nonprofit organization that manages RubyGems.org, a platform for sharing Ruby code and libraries, asserted control over several GitHub repositories for Ruby Gems as well as other critical Ruby open source projects that the rest of the Ruby development community relies on. A group of open source developers who had contributed to those projects and maintained them for years had their permissions suddenly revoked. When these developers announced on social media that their access was taken away, many Ruby developers saw the decision as a betrayal of their years-long contributions to the Ruby ecosystem and open source principles more generally. Others accused Ruby Central of succumbing to corporate pressure from companies like Shopify, which they claimed wanted more control over the project.

In some ways, this whole affair is an example of why this stuff gets really messy when people start getting paid

I’ve spent the last week talking to people who had direct involvement with Ruby Central’s decision, the contributors who were ousted, and developers in the Ruby community. I’ve heard accusations of greed, toxic personalities, and stories about years-long feuds between people, at times in open disagreement, who ultimately govern some of these important open source tools.

RubyGems.org and other critical Ruby tools have so far not been interrupted during this transition, but the incident sheds light on a basic truth about the internet and open source development: Much of the technology we use every day and take for granted is being maintained by a small number of developers who are not compensated for that work or get paid very little when compared to salaries at big tech companies. Open source development continues to make much of the internet possible, but as some of these tools become more important and financially valuable, they’re subject to more scrutiny and pressure from the community, organizations, and companies that rely on them.

“In some ways, this whole affair is an example of why this stuff gets really messy when people start getting paid, and once you start introducing formal organizations and employees and nonprofits and lawyers and all this kind of complexity,” Mike McQuaid, developer of the popular package manager Homebrew, which is built with Ruby, told me. McQuaid has talked to and offered to mediate between Ruby Central and the ousted maintainers. “This is a textbook case of what happens when there's this conflict between what companies want, what nonprofit individuals want, how much responsibility people have when they take money, who gets control and when. How much democracy versus just ‘I have the power to do something, therefore I'm going to do it.’”

With Ruby developers can download and use self-contained packages of code that add different functionalities to a Ruby project. These packages are called gems, and are distributed primarily via RubyGems.org, where developers can upload gems they’ve developed or download gems from other developers.

The ability to download gems and plug them into different projects is very useful and convenient for Ruby developers, but can create complications. Different gems are developed by different teams and are updated at different times with bug fixes and new features, and might not necessarily be compatible or play well with one another as they evolve.

This is where Bundler comes in. As its website explains, “Bundler provides a consistent environment for Ruby projects by tracking and installing the exact gems and versions that are needed.” So, for example, if a developer is building a Ruby project and wants to use gems X, Y, and Z, Bundler will pull the versions of those gems that are compatible with one another, providing developers an easy solution for what Bundler describes as “dependency hell.”

Bundler is an open source project that was initially developed by Yehuda Katz, but the GitHub repository for the project was created and was administrated by André Arko. In 2015, Arko also founded a nonprofit trade organization named Ruby Together, which raised funds from developers and companies that use Ruby in order to maintain Bundler and other open source tools.

I will not mince words here: This was a hostile takeover

RubyGems.org, the site and service, is governed by Ruby Central, a nonprofit founded in 2001, which also organizes several Ruby conferences like RubyConf and RailsConf. In 2022, Arko’s Ruby Together and Ruby Central merged, “uniting the Ruby community’s leading events and infrastructure under one roof,” according to Ruby Central’s site. Bundler’s and RubyGems.org’s work often overlapped both in their goals and the developers who worked on them, but operated across two different GitHub organizations, each with its own repositories. To streamline development of these open source projects, Bundler also joined the Ruby Gems GitHub organization in 2022.

In 2023, Ruby Central established the Open Source Software Committee, which according to its site oversees RubyGems, Bundler, and RubyGems.org, focusing on infrastructure stability, security, and sustainability.

A confusing and central point of disagreement between Ruby Central and the maintainers it ousted on September 19 is rooted in the merging of Ruby Together and Ruby Central and the difference between Rubygems.org the service, essentially an implementation of the Ruby Gems codebase on an AWS instance, which both parties agree Ruby Central owns and operates, and the Ruby Gems the codebase that lives in the same GitHub organization as Bundler.

According to a recording of a mid-September Zoom meeting which I obtained between Marty Haught, Ruby Central’s Director of Open Source, Arko, and the other ousted contributors, Ruby Central maintains that the codebase and GitHub organization became its responsibility when Ruby Central merged with Ruby Together in 2022. The ousted contributors’ position is that members of Ruby Central, like Haught, can be owners of the GitHub organization, but that ownership of the RubyGems codebase and other projects in the GitHub organization belong to the contributors, who don’t have a detailed governance model but historically have governed by consensus.

Arko made this argument to me in a recent interview, but also outlined that argument in a blog post, where he also shared the merger agreement between Ruby Central and Ruby Together. It shows that Ruby Together would dissolve and that Ruby Central would be in charge of raising and allocating funds for development, but does not explicitly say Ruby Central takes ownership of the RubyGems and Bundler projects or the GitHub organization.

To make matters even more complicated, Arko was at once a contributor to these open source projects, a contributor to RubyGems.org the service, an owner of the GitHub organization, and an advisor to Ruby Central’s Open Source Software Committee.

In May, Arko resigned his position as an advisor to Ruby Central’s Open Source Software Committee, but continued his work as a contributor. Arko told me he resigned his advisory role because of Ruby Central’s last minute invitation of David Heinemeier Hansson, better known online as DHH, as a keynote speaker at RailsConf.

Arko told me he objected to that decision because of DHH’s “horrifying, racist, misogynist, politics” and DHH’s “personal vendetta” against him. In 2021, back at Motherboard, we reported that many employees at DHH’s company, Basecamp, quit after his decision to ban any discussion of politics at work, which many employees saw as squashing discussion about race, bias, and diversity. Arko told me that DHH’s “personal vendetta” against him stemmed from Arko not wanting to support a certain feature DHH wanted added to Bundler, after which DHH demanded Arko be removed from the Ruby Together board.

The current controversy erupted on social media on September 19, when one contributor to the open source projects in the RubyGems and Bundler GitHub organization, Ellen Dash, announced that Haught, Ruby Central’s Director of Open Source, revoked GitHub organization membership for all admins on the RubyGems, Bundler, and RubyGems.org maintainer teams. At that moment, their permissions and access to the GitHub organization were revoked, meaning they could no longer make any changes or contributions to the code, and Haught, representing Ruby Central, took control.

“I will not mince words here: This was a hostile takeover,” Dash said in a public “goodbye” letter they shared online. “I consider Ruby Central’s behavior a threat to the Ruby community as a whole. The forceful removal of those who maintained RubyGems and Bundler for over a decade is inherently a hostile action. Ruby Central crossed a line by doing this.”

The news was seen by many developers in the Ruby and open source community as betraying the dedication and labor that Dash, Arko, and other maintainers put into these tools for years.

Ruby Central, meanwhile, describes the move as one centered around security.

“With the recent increase of software supply chain attacks, we are taking proactive steps to safeguard the Ruby gem ecosystem end-to-end,” Ruby Central said in an explanation of its decision. “To strengthen supply chain security, we are taking important steps to ensure that administrative access to the RubyGems.org, RubyGems, and Bundler is securely managed. This includes both our production systems and GitHub repositories. In the near term we will temporarily hold administrative access to these projects while we finalize new policies that limit commit and organization access rights. This decision was made and approved by the Ruby Central Board as part of our fiduciary responsibility. In the interim, we have a strong on-call rotation in place to ensure continuity and reliability while we advance this work. These changes are designed to protect critical infrastructure that power the Ruby ecosystem, whether you are a developer downloading gems to your local machine [or] a small or large team who rely on the safety and availability of these tools.”

404 Media has covered the kind of recent supply chain attacks targeting open source projects that Ruby Central is referring to. Earlier this month, a critical JavaScript development tool Node Package Manager (NPM), was targeted by a similar supply chain attack. But not everyone in the Ruby development community bought the explanation that security was at the heart of the recent moves. One reason for that is a public statement from a Ruby Central board member and treasurer Freedom Dumlao.

On Substack, Dumlao apologized for the sudden change and how it was communicated.

“If Ruby Central made a critical mistake, it's here,” he wrote. “Could these conversations have been happening in public? Could the concerns we were hearing from companies, users and sponsors have been made more apparent? Probably. But I remind you we don't have a ‘communications team’, no real PR mechanism, we are all just engineers who (like many of you I'm sure) go heads down on a problem until it's solved.”

Dumlao reiterated that RubyGems and Bundler are critical infrastructure that are now increasingly under the threat of supply chain attacks, and said that the companies that rely on them “count” on Ruby Central do everything it can to keep them and their users safe.

However, Dumlao also said that Ruby Central was under “deadline” to make this change.

“Either Ruby Central puts controls in place to ensure the safety and stability of the infrastructure we are responsible for, or lose the funding that we use to keep those things online and going,” Dumlao wrote.

In a September 22 video message in response to criticism about its decision to remove maintainers, Ruby Central’s executive director Shan Cureton described a similar dynamic. She said “sponsors and companies who depend on Ruby tooling came to us with supply chain concerns” and that “Our funding and sponsorships are directly tied to our ability to demonstrate strong operational standards. Without those standards in place, it becomes harder to secure the support needed to keep maintainers paid, organize events, and provide resources for developers at every stage of their journey.”

Since Shopify is one of the primary sponsors and funders of Ruby Central, this led some in the Ruby community to believe that Shopify was exerting pressure on Ruby Central to make this change.

“That is not how it happened, and I wish I had been more careful with my wording in that blog post,” Dumlao told me in a Linkedin message when I asked him if Ruby Central was under pressure from Shopify to make these changes.

I just don't think that there's any other plausible explanation than Shopify demanded this.

After I gave Dumlao my number so we could do a phone interview, I got an email from Cindi Sutera, who was recently brought on as a spokesperson for Ruby Central.

"Ruby Central’s mission is to keep the infrastructure that Rubyists rely on stable, safe, and trustworthy,” she told me. “As part of a routine review following organizational changes, we identified a small number of accounts whose privileges no longer matched current role requirements. The Board voted that it was imperative to align access with our privilege policy to keep the infrastructure that the Ruby community depends on stable. This is our mission.”

Sutera said that the board approved “a temporary administrative hold on certain elevated permissions” while it finalized operator agreements and governance roles.

“To move quickly and transparently, we imposed a clear deadline to complete operator agreements and close gaps,” she said. “We could have communicated earlier that we felt it necessary to move quickly and wish we could have given the community more time to prepare for this action. And now, here we are committed to completing this transition for the stability and security of the Ruby Gems supply chain. More updates are coming as we work through security protocols and stabilization efforts.”

“There’s literally only one company providing the money that is keeping Ruby Central open, and it is Shopify,” Arko told me. “And so I just don't think that there's any other plausible explanation than Shopify demanded this.”

When I asked Arko why he thought Ruby Central removed him, if it wasn’t for security reasons, Arko said: “totally unprovable speculation is Shopify’s CEO is best friends with DHH, who hates me.” DHH is also a Shopify board member.

“Thanks for the invitation, but not my place to weigh in a lot on this while they're working through these changes,” DHH told me in an email when reached for comment. “But I support them taking steps to secure and professionalize the supply chain work they're doing.”

Shopify did not reply to a request for comment.

As this episode spread on social media, I talked to several people associated with Ruby Central who told me the board was acting in the interest of the RubyGems and the Ruby community. Two sources who asked for anonymity for fear of retaliation said that Arko was difficult to work with, questioned how he used funds raised by Ruby Together, and claimed that a new Ruby version manager he’s working on, rv, means he has a conflict of interest with his work on RubyGems and Bundler.

Arko acknowledged to me he heard he’s been difficult to work with in the past. He said that sometimes he’s been able to reach out to people directly and resolve any issues, and that sometimes he hasn’t. He rejected the other allegations, and said that Ruby Together’s financials have always been public.

“It has always been fully public, and the amount has been fixed at $150 an hour for 10 years,” he said, referring to the amount contributors got paid to work on Bundler. Arko added that nobody has ever been paid for more than 20 hours a week, and that the most he’s been able to raise in a single year is $300,000 to pay eight different contributors. “Nobody has gotten a raise for 10 years.”

"As a matter of policy, we don’t discuss individual personnel,” Sutera, the Ruby Central spokesperson, said when I asked if Arko was removed from the GitHub organization because of his previous behavior. “Our recent actions were organization-wide governance measures aimed at aligning access with policy. Our priority is maintaining a stable and secure Ruby Gems supply chain."

McQuaid, the developer of Homebrew and who followed the controversy, told me that even Arko’s harshest critics wouldn’t deny the contributions he’s made to the Ruby community over the years.

Regarding Arko’s blog post about his removal, McQuaid told me it’s good that Arko is crediting other people for their contribution and that he’s following open source principles of community and transparency, but that “his ‘transparency’ here has been selective to things that benefit him/his narrative, he seems unwilling or unable to admit that he failed as a leader in being unwilling or unable to introduce a formal governance process long before this all went down or appoint a meaningful successor and step down amicably.”

The fundamental disagreement here is about who “owns” the GitHub organization that houses Bundler and RubyGems. Technically, Ruby Central was able to assert control because Hiroshi Shibata, a member of the Ruby core team and one of the contributors who has owner-level permissions on the GitHub, made Haught, who revoked the others’ access, an owner as well. Any owner can add or remove any other owner, but when Ruby Central’s board voted to make this change Haught acted immediately and removed Arko, Dash, and others.

However, Arko fundamentally disagrees with the premise that Ruby Central has the right to govern the GitHub organization in any way, and believes that it has always belonged to the group of contributors who had access up until September 19.

Arko said that even if Ruby Central gave him his permissions back, he would not consider the matter resolved until Ruby Central stopped claiming it owns Bundler “but I am definitely not going to hold my breath for that one.”

“When people really care, they're passionate and they're enthusiastic and they argue, and that often looks like drama,” McQuaid, the developer of Homebrew, said when I asked what he thinks this entire affair says about the state of open source development. “But if I had to pick between having the enthusiasm and the drama or losing both, then I'd probably pick the enthusiasm and the drama, because in some ways, the system is somewhat self correcting. Even the stuff that's going on right now, people are having essentially a very public debate about what role do large companies or nonprofits or individual maintainers have in open source. To what extent does someone's level of contribution matter versus what type of person they are? I think these are valuable discussions to be having, and we're having them in the open, whereas if it was in a company, this would all be in a meeting room or with an HR department or in a leadership offsite or whatever.”

A board member's perspective of the RubyGems controversy

What a week it's been as a Ruby Central Board Member.

^{Freedom Dumlao (Freedom’s Substack)}