When the federal government collects information about citizens,
the law requires specific things first.

Privacy disclosures.

Notices in the Federal Register.

Published contracts with outside vendors.

I went looking for all of it across twelve National Design Studio programs and found none of it,
not a single required document filed across any of the twelve.

Every missing document is, by itself, a violation of federal law,
and these are the laws Congress wrote after Watergate to make sure the federal government could not run secret surveillance programs on its own citizens.

The only document they did publish is a privacy policy on TrumpRx,
and it contradicts itself two paragraphs apart.

The first paragraph says PostHog records the pages users visit and the medications they view.

Two paragraphs later, it says they do not collect health or medical information.

A federal health website is lying to the people using it and cannot even keep the lie consistent.

I wanted to know whether there were more sites the studio had not announced.

Here is something almost nobody outside of security research knows.

Every website with a padlock in the address bar has a certificate,
and there is a rule that every certificate issued anywhere in the world must be logged in a public ledger the moment it is created,
no exceptions.

The side effect of that rule is that every new website on the internet,
even ones nobody has announced and even ones hidden behind a login,
leaves a public fingerprint the moment it is built.

There is a free search engine called 👉 crt.sh where anyone can look up those logs.

I typed in the studio’s domain, and underneath the public sites I already knew about were roughly forty more, unannounced,
with no links pointing to them from any public page.

I started reading the names.

Sites that looked like they belonged to the State Department.
To NASA.
To the Department of Homeland Security.

And then two that stopped me cold:

a working preview of vote.gov,

and something called fbi-kirk-tipline.

I checked the public ownership records for every subdomain,
and every single one traced back to the same place,
the Executive Office of the President.

The National Design Studio had built pre-launch versions of websites belonging to other federal agencies
and registered all of it to the White House.
#NationalDesignStudio
#surveillance #gebbia
#PostHog #AutoMonitor

The structure of the National Design Studio will be familiar to anyone who has been paying attention.

Staff are hired under a federal authority called Section 3161,
written for temporary advisory bodies,
which means most of them are part-time advisors or volunteers.

They do not appear on the White House salary report.

They answer to no inspector general, because the Executive Office of the President does not have one.

If that sounds familiar, it should,
because it is exactly how DOGE was run.

Gebbia spent six months at DOGE before taking his current role.

The senior staff at the National Design Studio, when you pull the bylines from their blog posts and run the names against court filings, come back from the same place,
-- DOGE -- the same DOGE currently named as defendant in multiple federal lawsuits for letting engineers without proper security clearance access Social Security data and Department of Homeland Security data,
and for sharing sensitive federal information with outside parties.

The National Design Studio is not a successor to DOGE.

It is DOGE with a better logo and a design philosophy.

Now, back to TrumpRx looking at you.

Every webpage you load is making phone calls.

Not to people, but to servers around the internet,
-- dozens per second, all invisible to you.

When I opened TrumpRx, I right-clicked the page, opened the browser’s built-in inspector, and started reading the list.

Mixed in with the routine traffic was a name I recognized:
#PostHog.

PostHog is a Silicon Valley analytics company whose entire business model is recording what visitors do on a website and reporting it back to whoever owns the site.

Mouse movements, clicks, scrolls, keystrokes.

I had not typed anything. I had not clicked anything.

I had just opened the page, and it was already on the phone with PostHog telling them about me.

The recordings are not anonymized.

IP addresses are not stripped.

And the way it is configured, the data looks to your browser like it is going back to TrumpRx,
but it is actually being forwarded behind the scenes to PostHog.

That is a technique used to slip past ad blockers by disguising where the data is really going,
and it is not something I expected to find on a federal health website.

So I went and looked at the other sites the studio had built.

Real Food, the federal food policy site.

Trump Accounts, the children’s savings program.

The studio’s own homepage, ndstudio.gov.

All of them had the same vendor, the same setup,
IP addresses not stripped,
the same forwarding trick.

And on ndstudio.gov alone,
running alongside PostHog,
was something someone had built entirely by hand.

Five hundred and forty lines of custom JavaScript with a name embedded directly in the code:
#AutoMonitor.

What it appears to do is rewire the part of the browser that handles how a page talks to the outside world,
so that every conversation the page has with any server gets copied and forwarded to a private backend with no public presence.

The studio has the structural ability to keep a copy of every recording as it passes through their infrastructure.

I cannot prove they are keeping one.

The pipe is built that way on purpose, and that is the part that matters.

https://thedreydossier.substack.com/p/i-found-a-second-votegov-and-its