Ian Monroe
All posts

Read this: a second vote.gov, registered to the White House

politicsprivacysurveillancegovernment

Every so often I read something that I think is genuinely important and badly under-read, mostly because it lives in the kind of too-technical-for-a-headline territory that the average person scrolls right past. This is one of those. The Drey Dossier published an investigation into the federal government’s new National Design Studio, and it is careful, well-cited, and pretty alarming. I want to summarize it and point you at the original, because the original is worth your time and the citations are worth checking yourself.

A caveat up front: these are the author’s findings and, in places, the author’s interpretation of them. I’m relaying the reporting, not vouching for every inference. But the underlying artifacts — domain registrations, certificate logs, executive orders, court filings — are public, linked, and verifiable, which is exactly what makes the piece hard to wave away.

The short version

There’s a new office inside the White House called the National Design Studio, created by executive order in August 2025 and run by Airbnb cofounder Joe Gebbia. Officially, it redesigns how Americans experience government websites. Its first public output, TrumpRx.gov, carries something no federal site has ever carried: a byline crediting the studio. The author clicked through, and the rest of the investigation followed from that one link.

What they found, roughly:

  • The structure is built to be invisible. Staff are hired under a temporary-organization statute (Section 3161) that keeps them off salary reports and out of financial disclosures. The office reports to the Chief of Staff, not to the General Services Administration. There’s no inspector general over it. It’s the same playbook — and many of the same people — as DOGE.
  • The sites are watching visitors. TrumpRx and its sibling sites load third-party session-recording analytics (PostHog) with IP addresses not stripped, configured in a way that disguises where the data actually goes — a trick normally used to slip past ad blockers. One site also runs 539 lines of hand-written JavaScript, named AutoMonitor, that copies a page’s traffic off to a private backend.
  • The legally required paperwork doesn’t exist. Across twelve programs, the author found zero published Privacy Impact Assessments, zero System of Records Notices, and no published vendor contracts — the disclosures Congress mandated after Watergate. The one privacy policy that does exist contradicts itself two paragraphs apart.
  • There are ~40 unannounced sites. Using public certificate transparency logs (the ledger every HTTPS certificate is recorded in), the author surfaced about forty staging sites with no public links pointing to them — including ones mimicking the State Department, NASA, and DHS, and two that stand out: a working preview of vote.gov and something called fbi-kirk-tipline. All of it traces back to the Executive Office of the President, routed through a single personal Cloudflare account.

Why the vote.gov part matters

After Florida 2000, Congress deliberately put voter-registration infrastructure outside the sitting president’s reach — vote.gov belongs to the independent Election Assistance Commission. The investigation found a working preview of vote.gov built inside the studio’s environment, with a certificate dated April 10, 2026. The tension the author draws out: in related litigation, the DOJ told a federal court the relevant agencies hadn’t begun building anything. A timestamped certificate and that court statement can’t both be true.

There’s a parallel thread on passports.gov — also registered to the White House rather than the State Department, with photo-upload subdomains spun up — which would mean biometric-quality images collected through infrastructure the public can’t see. And because of the Presidential Records Act, much of this could stay sealed until 2040.

Why I’m posting it

Two reasons. First, the citations. The piece ends with a long, specific sources list — the CISA .gov domain registry, the crt.sh certificate searches, the executive orders by number, the court dockets, the studio’s own blog posts. You don’t have to take anyone’s word for it; you can open the same files. That’s the standard I wish more of this kind of writing met.

Second, this is precisely the sort of story that struggles to travel. “The footer of a drug-pricing site has a byline, and certificate logs reveal forty staging domains” is not a sentence that goes viral, even though what it points to is a big deal. So consider this a small boost in its direction.

Go read the original. It’s longer than a summary can do justice, and the details are the point.