There is a moment in every investigation where the thing you have been looking for finds you instead. Mine found me on TrumpRx.
If you have not been to TrumpRx, it is a federal drug pricing website that looks like Wix and a Pinterest board threw up on each other. There is a gold three-dimensional eagle on the homepage clutching a ribbon in its talons that says TrumpRx. There are pills floating across the screen like a pharmaceutical screensaver. The tagline, and I am quoting directly from a website owned by the United States government, invites you to TrumpRx the price. It has the typography of a Brooklyn juice bar and the self-regard of someone who has never been told no. It is, in every conceivable aesthetic sense, a catastrophe. And while you are busy looking at the eagle, the website is busy looking at you. I wish I were being metaphorical.
In the footer of the page, beneath all of it, I found something I have never seen on a federal government website in my life. A byline. The government does not do this. The IRS does not sign its work. The FBI does not. Social Security does not. No federal agency that has ever built a website has felt the need to take credit for it. In plain bold text, sitting directly above the privacy policy, it said: Designed and Engineered in D.C. by National Design Studio. So I clicked through.
The National Design Studio was created by executive order in August 2025. Its job, officially, is to redesign how Americans experience their government. Its leader is Joe Gebbia, cofounder of Airbnb, which is to say he is a man who looked at the American home and saw an untapped revenue stream. If anyone understands how to improve public spaces, it is the company that took residential ones and made sure the public could never afford them again. He reports directly to White House Chief of Staff Susie Wiles, which is a strange place to house a website design agency. A technology office that builds federal websites should answer to the General Services Administration, or at minimum to the agencies whose websites it is building. Instead it answers to the person who controls access to the President. His position requires no Senate confirmation, which means he files no financial disclosures, which means the office he runs does not appear in any federal procurement database, which means as far as the official record is concerned, it barely exists.
Which, as I was about to find out, was entirely the point.
The structure of the National Design Studio will be familiar to anyone who has been paying attention. Staff are hired under a federal authority called Section 3161, written for temporary advisory bodies, which means most of them are part-time advisors or volunteers. They do not appear on the White House salary report. They answer to no inspector general, because the Executive Office of the President does not have one. If that sounds familiar, it should, because it is exactly how DOGE was run.
Gebbia spent six months at DOGE before taking his current role. The senior staff at the National Design Studio, when you pull the bylines from their blog posts and run the names against court filings, come back from the same place, DOGE, the same DOGE currently named as defendant in multiple federal lawsuits for letting engineers without proper security clearance access Social Security data and Department of Homeland Security data, and for sharing sensitive federal information with outside parties. The National Design Studio is not a successor to DOGE. It is DOGE with a better logo and a design philosophy.
Now, back to TrumpRx looking at you.
Every webpage you load is making phone calls. Not to people, but to servers around the internet, dozens per second, all invisible to you. When I opened TrumpRx, I right-clicked the page, opened the browser’s built-in inspector, and started reading the list. Mixed in with the routine traffic was a name I recognized: PostHog. PostHog is a Silicon Valley analytics company whose entire business model is recording what visitors do on a website and reporting it back to whoever owns the site. Mouse movements, clicks, scrolls, keystrokes. I had not typed anything. I had not clicked anything. I had just opened the page, and it was already on the phone with PostHog telling them about me.
The recordings are not anonymized. IP addresses are not stripped. And the way it is configured, the data looks to your browser like it is going back to TrumpRx, but it is actually being forwarded behind the scenes to PostHog. That is a technique used to slip past ad blockers by disguising where the data is really going, and it is not something I expected to find on a federal health website. So I went and looked at the other sites the studio had built. Real Food, the federal food policy site. Trump Accounts, the children’s savings program. The studio’s own homepage, ndstudio.gov. All of them had the same vendor, the same setup, IP addresses not stripped, the same forwarding trick. And on ndstudio.gov alone, running alongside PostHog, was something someone had built entirely by hand. Five hundred and forty lines of custom JavaScript with a name embedded directly in the code: AutoMonitor. What it appears to do is rewire the part of the browser that handles how a page talks to the outside world, so that every conversation the page has with any server gets copied and forwarded to a private backend with no public presence. The studio has the structural ability to keep a copy of every recording as it passes through their infrastructure. I cannot prove they are keeping one. The pipe is built that way on purpose, and that is the part that matters.
When the federal government collects information about citizens, the law requires specific things first. Privacy disclosures. Notices in the Federal Register. Published contracts with outside vendors. I went looking for all of it across twelve National Design Studio programs and found none of it, not a single required document filed across any of the twelve. Every missing document is, by itself, a violation of federal law, and these are the laws Congress wrote after Watergate to make sure the federal government could not run secret surveillance programs on its own citizens. The only document they did publish is a privacy policy on TrumpRx, and it contradicts itself two paragraphs apart. The first paragraph says PostHog records the pages users visit and the medications they view. Two paragraphs later, it says they do not collect health or medical information. A federal health website is lying to the people using it and cannot even keep the lie consistent.
I wanted to know whether there were more sites the studio had not announced. Here is something almost nobody outside of security research knows. Every website with a padlock in the address bar has a certificate, and there is a rule that every certificate issued anywhere in the world must be logged in a public ledger the moment it is created, no exceptions. The side effect of that rule is that every new website on the internet, even ones nobody has announced and even ones hidden behind a login, leaves a public fingerprint the moment it is built. There is a free search engine called crt.sh where anyone can look up those logs. I typed in the studio’s domain, and underneath the public sites I already knew about were roughly forty more, unannounced, with no links pointing to them from any public page. I started reading the names. Sites that looked like they belonged to the State Department. To NASA. To the Department of Homeland Security. And then two that stopped me cold: a working preview of vote.gov, and something called fbi-kirk-tipline. I checked the public ownership records for every subdomain, and every single one traced back to the same place, the Executive Office of the President. The National Design Studio had built pre-launch versions of websites belonging to other federal agencies and registered all of it to the White House.
All of it ran through the same private Cloudflare account. Using Cloudflare is not unusual for a federal agency. Running forty federal websites through one personal account is another matter. The login screen for the gated preview sites read: loveisaskill.cloudflareaccess.com. Love is a skill is a phrase Gebbia has used publicly to describe Airbnb’s design philosophy. It is the kind of name you give an account when it belongs to you personally, not when it belongs to the federal government, and federal infrastructure is supposed to be owned by the agency, not the person running it.
The people running this office are worth knowing about. In 2025, a federal judge ordered everyone at DOGE blocked from accessing personnel records at the Office of Personnel Management. Three people were granted exceptions and allowed to keep their access anyway. Greg Hogan was one of them. The administration argued he was essential to ongoing system work, the judge accepted it, and Hogan kept his access to federal personnel records while every other DOGE staffer was locked out. He has since moved from DOGE into the National Design Studio, where he was recently promoted to run Login.gov, the federal government’s sign-in system. If you have ever applied for a federal job, requested your Social Security records online, or filed for federal benefits, you have used it. It scans your biometrics. More than 150 million Americans have accounts. The man who survived the OPM injunction now runs the front door to your federal identity.
A second name from the original DOGE cohort, Akash Bobba, now serves as the official security contact for the US African Development Foundation, a small independent agency the administration tried to dissolve by executive order earlier this year. The dissolution got tied up in court, the agency technically survived, but most of its staff was cleared out. Bobba now holds the credentials controlling the agency’s website, its email, and its security configuration, which means a White House staffer has full visibility into who applies for grants, who gets approved, and who inside that agency is talking to whom.
In October 2025, Bobba got on a recorded conference call with state election directors from across the country and presented a federal voter registration system the studio was building. Voters would register through a federal portal, their identities verified through Login.gov, their citizenship verified through DHS’s SAVE database, their registrations transmitted to the states. A state election director asked him what data the federal government would retain. He said, on a recording, in an election year: I don’t know what they retain and what they are logging. The person presenting a federal voter registration system to state election directors did not know what data his own system kept on American voters.
After Florida 2000, Congress passed a law creating the Election Assistance Commission specifically because both parties agreed that voter registration cannot live inside the White House of any sitting president. The sitting president should not have visibility into who is checking their registration in the weeks before an election that decides whether they keep their job. So Congress built a wall, and today vote.gov is registered to the Election Assistance Commission. As of this writing, that wall is still standing.
But in the certificate logs, underneath the studio’s unannounced sites, was a working preview of vote.gov, built inside the studio’s staging environment, behind the same Cloudflare login, isolated deliberately. The certificate appeared on April 10, 2026. Weeks before that certificate appeared, this administration signed an executive order requiring DHS, the Social Security Administration, and the SAVE program to construct a federal citizenship-verified voter list, with a deadline of ninety days from signing. That deadline is weeks away. When the order was challenged in federal court, the Department of Justice told the judge the agencies named had not yet begun preparation and were still in the deliberation phase.
The certificate is dated April 10. DOJ told a federal court the infrastructure does not exist. Both of those cannot be true. Either DOJ lied to a federal judge, or the studio is building a replacement for the country’s voter registration site without telling the agencies whose work it would replace. There is no third option.
While I was finishing this piece, I typed passports.gov directly into my browser, just to see what was there. A sign-in page came up: enter your email and we will send you a six-digit code. No State Department seal. No agency name. No privacy notice. Just a black button that says Send code. The owner of passports.gov is the Executive Office of the President, White House Office. The State Department does not own this domain. The security contact field is blank. The first certificate was issued May 5, three weeks ago. Based on what I can see in the staging environment, the next step will ask Americans to upload their passport photo through a White House-controlled website, on the same Cloudflare account, by the same people, with no privacy notice on file. A passport photo is biometric quality. Linked to your identity through Login.gov. Collected through infrastructure the White House owns, sealed from public view. They are building it this week.
Here is what the structure looks like from the outside. Section 3161 hides the staff so they do not appear on salary reports or file financial disclosures. The Executive Office of the President has no inspector general. There are zero required privacy disclosures filed across all twelve programs and no published contracts with any outside vendor. Forty federal websites run behind one personal Cloudflare account. And the Presidential Records Act seals everything for twelve years the day this administration ends, meaning until 2040, no one outside the White House can see who works there, what they collected, or where any of the data went.
What this office is doing is taking the parts of the federal government that touch you directly, your prescription, your voter registration, your passport, your federal login, out of the agencies that legally own them and rebuilding them on White House infrastructure. Vote.gov belongs to the Election Assistance Commission, and the studio built a copy. Passports belong to the State Department, and the studio is building a replacement this week. Login.gov belonged to GSA, and the studio’s guy runs it now.
Trump has said publicly that this infrastructure is for other presidents, and he is right about that. It is the one thing in this story I take him at his word on. The infrastructure outlasts him. Whoever wins in 2028 inherits the websites, the vendors, the data, and the hardware, sealed and waiting.
There is a gold three-dimensional eagle on the homepage of TrumpRx, clutching a ribbon in its talons. You are looking at the eagle. Something is being built underneath the government you think you have, on infrastructure you cannot see, by people who answer to no one, collecting everything.
I wish, still, that I were being metaphorical.
SOURCES CITED
NDS Infrastructure Map — my live working github map of every National Design Studio subdomain I have found, filterable by status, registrant, and parent domain. If you want to retrace this investigation or watch new subdomains appear in real time, start here.
The Front Door: NDS and Its Sites
National Design Studio (ndstudio.gov) — the office’s own homepage. The /work portfolio page lists every site they have built or are building, including TrumpRX, Real Food, Genesis Mission, Trump Accounts, Tech Force, Safe DC, Trump Card, and OPM Digital Retirements.
TrumpRx.gov — the federal drug pricing site. Footer links to ndstudio.gov via “National Design Studio.”
RealFood.gov — MAHA nutrition site. Same NDS footer credit.
TrumpAccounts.gov — children’s savings account program. Same NDS footer.
Genesis Mission (genesis.energy.gov) — the DOE/Oracle AI initiative. Oracle is listed as a partner on the homepage alongside NVIDIA, OpenAI for Government, IBM, Microsoft, AMD, AWS, and Google. Footer reads “DESIGNED IN D.C. BY THE NATIONAL DESIGN STUDIO.”
Passports.gov — currently a sign-in wall with no public footer credit, but the certificate transparency log ties it to the same infrastructure pattern (see below).
Executive Orders and Founding Documents
Executive Order 14338 — establishing the National Design Studio (August 21, 2025) — the order that created NDS, named Joe Gebbia chief design officer reporting to Chief of Staff Susie Wiles, and granted it broad authority to “design and redesign” federal digital services.
Genesis Mission executive order (November 24, 2025) — the order directing DOE to build the federal AI platform with Oracle as integration partner.
Personnel and Hiring Authority
Joe Gebbia named NDS chief design officer (Reuters) — Reuters’ reporting describing NDS as “a stripped-down successor to the controversial Department of Government Efficiency.”
Section 3161 of Title 5, U.S. Code — temporary organizations — the federal statute NDS is using to hire staff as advisors to a “temporary organization,” which bypasses normal civil service hiring, salary disclosure, and ethics review timelines.
Akash Bobba — DOGE engineer background (Wired) — original reporting on the DOGE engineering cohort, including Bobba.
dotgov-data registry (cisagov/dotgov-data on GitHub) — CISA’s authoritative repository for every federal .gov domain. The current-federal.csv file at this raw URL shows ndstudio.gov, passports.gov, realfood.gov, and trumprx.gov all registered to the Executive Office of the President, White House Office. The same file shows usadf.gov (United States African Development Foundation) listing akash@ndstudio.gov as its official security contact — meaning an independent federal agency’s cybersecurity point of contact is a personal-named mailbox at the White House design shop.
get.gov data page — the public landing page that links to the CISA registry files.
Certificate Transparency Logs
crt.sh search for %.ndstudio.gov — 979 certificates on file as of May 26, 2026. Includes subdomains for fbi-kirk-tipline.previews, vote-gov.previews and vote-gov-ndstudio.previews, trump-accounts-splashpage.previews, board-of-peace-assets, war.previews, and dozens of other staging environments that are not publicly announced.
(crt.sh crashes all the time, hence my github repo at the top ^ )
crt.sh search for passports.gov — 26 certificates showing the rollout timeline: original cert May 5, staging/auth/api subdomains spun up May 22, and nine new certs for photo.passports.gov and photos.passports.gov issued in a single hour on May 26.
Cloudflare Access login wall at loveisaskill.cloudflareaccess.com — the SSO portal that gates vote-gov.previews.ndstudio.gov. The URL resolves to a Cloudflare Access login wall and will request an email/authentication; you cannot bypass it without credentials, but its existence confirms the preview is hosted on White House-controlled infrastructure rather than the Election Assistance Commission’s systems.
The AutoMonitor Script
The AutoMonitor source file (cdn.infra.ndstudio.gov) — the 539-line JavaScript file that defines class AutoMonitor, generates a session ID on line 7, and posts telemetry to analytics.infra.ndstudio.gov/metrics on line 8. Deployed on ndstudio.gov and confirmed on genesis.energy.gov.
PostHog analytics on TrumpRx — TrumpRx privacy policy — TrumpRx’s own privacy policy confirms it uses PostHog for usage analytics while also stating it does not collect “health or medical information.” PostHog by default records full session replays, including keystrokes and mouse movement, unless explicitly disabled.
PostHog session recording documentation — PostHog’s own docs describing what session replay captures by default.
DOGE Lineage and Court Record
American Federation of Teachers v. Bessent — the lawsuit challenging DOGE access to Treasury Department systems, including IRS taxpayer data. Court filings document the specific systems DOGE personnel were granted read/write access to.
Court ruling on DOGE Privacy Act violations (CourtListener docket) — full docket including the preliminary injunction findings.
FBI Utah Valley shooting page (fbi.gov/utahvalleyshooting) — the FBI’s official public intake page for Kirk shooting tips. Tips went through the existing 1-800-CALL-FBI line and tips.fbi.gov, generating over 11,000 tips in 48 hours.
Privacy Framework Documents That Should Exist And Do Not
E-Government Act of 2002 — Privacy Impact Assessment requirement — the law requiring federal agencies to publish a PIA before deploying any system that collects personally identifiable information.
OMB Circular A-130 — federal information policy — the binding policy requiring System of Records Notices (SORNs) for any federal system maintaining personally identifiable records.
Federal Register SORN search — search for “National Design Studio” returns zero published SORNs as of May 26, 2026.
Iron Mountain and the Retirement Pipeline
Iron Mountain limestone mine retirement processing (Washington Post) — the original “sinkhole of bureaucracy” reporting on OPM’s paper-based retirement processing facility.
OPM Digital Retirements (retire.opm.gov) — the NDS-built replacement system listed in their portfolio. Linked from ndstudio.gov/work.
