[DISCLAIMER: This is a summary, written by the author, of her Substack article, and accompanying video. There's some speculation in the article and video. However there are a lot of verifiable citations as well. See the citations at the bottom of the actual Substack article.]

I found a second vote·gov -- and it's registered to the White House

The Drey Dossier

thedreydossier.substack.com/p/…

"There is a moment in every investigation where the thing you have been looking for finds you instead. Mine found me on TrumpRx.

If you have not been to TrumpRx, it is a federal drug pricing website that looks like Wix and a Pinterest board threw up on each other. There is a gold three-dimensional eagle on the homepage clutching a ribbon in its talons that says TrumpRx. There are pills floating across the screen like a pharmaceutical screensaver. The tagline, and I am quoting directly from a website owned by the United States government, invites you to TrumpRx the price. It has the typography of a Brooklyn juice bar and the self-regard of someone who has never been told no. It is, in every conceivable aesthetic sense, a catastrophe. And while you are busy looking at the eagle, the website is busy looking at you. I wish I were being metaphorical.

In the footer of the page, beneath all of it, I found something I have never seen on a federal government website in my life. A byline. The government does not do this. The IRS does not sign its work. The FBI does not. Social Security does not. No federal agency that has ever built a website has felt the need to take credit for it. In plain bold text, sitting directly above the privacy policy, it said: Designed and Engineered in D.C. by National Design Studio. So I clicked through.

The National Design Studio was created by executive order in August 2025. Its job, officially, is to redesign how Americans experience their government. Its leader is Joe Gebbia, cofounder of Airbnb, which is to say he is a man who looked at the American home and saw an untapped revenue stream. If anyone understands how to improve public spaces, it is the company that took residential ones and made sure the public could never afford them again. He reports directly to White House Chief of Staff Susie Wiles, which is a strange place to house a website design agency. A technology office that builds federal websites should answer to the General Services Administration, or at minimum to the agencies whose websites it is building. Instead it answers to the person who controls access to the President. His position requires no Senate confirmation, which means he files no financial disclosures, which means the office he runs does not appear in any federal procurement database, which means as far as the official record is concerned, it barely exists.

Which, as I was about to find out, was entirely the point.

The structure of the National Design Studio will be familiar to anyone who has been paying attention. Staff are hired under a federal authority called Section 3161, written for temporary advisory bodies, which means most of them are part-time advisors or volunteers. They do not appear on the White House salary report. They answer to no inspector general, because the Executive Office of the President does not have one. If that sounds familiar, it should, because it is exactly how DOGE was run.

Gebbia spent six months at DOGE before taking his current role. The senior staff at the National Design Studio, when you pull the bylines from their blog posts and run the names against court filings, come back from the same place, DOGE, the same DOGE currently named as defendant in multiple federal lawsuits for letting engineers without proper security clearance access Social Security data and Department of Homeland Security data, and for sharing sensitive federal information with outside parties. The National Design Studio is not a successor to DOGE. It is DOGE with a better logo and a design philosophy.

Now, back to TrumpRx looking at you.

Every webpage you load is making phone calls. Not to people, but to servers around the internet, dozens per second, all invisible to you. When I opened TrumpRx, I right-clicked the page, opened the browser's built-in inspector, and started reading the list. Mixed in with the routine traffic was a name I recognized: PostHog. PostHog is a Silicon Valley analytics company whose entire business model is recording what visitors do on a website and reporting it back to whoever owns the site. Mouse movements, clicks, scrolls, keystrokes. I had not typed anything. I had not clicked anything. I had just opened the page, and it was already on the phone with PostHog telling them about me.

The recordings are not anonymized. IP addresses are not stripped. And the way it is configured, the data looks to your browser like it is going back to TrumpRx, but it is actually being forwarded behind the scenes to PostHog. That is a technique used to slip past ad blockers by disguising where the data is really going, and it is not something I expected to find on a federal health website. So I went and looked at the other sites the studio had built. Real Food, the federal food policy site. Trump Accounts, the children's savings program. The studio's own homepage, ndstudio. gov. All of them had the same vendor, the same setup, IP addresses not stripped, the same forwarding trick. And on ndstudio. gov alone, running alongside PostHog, was something someone had built entirely by hand. Five hundred and forty lines of custom JavaScript with a name embedded directly in the code: AutoMonitor. What it appears to do is rewire the part of the browser that handles how a page talks to the outside world, so that every conversation the page has with any server gets copied and forwarded to a private backend with no public presence. The studio has the structural ability to keep a copy of every recording as it passes through their infrastructure. I cannot prove they are keeping one. The pipe is built that way on purpose, and that is the part that matters.

When the federal government collects information about citizens, the law requires specific things first. Privacy disclosures. Notices in the Federal Register. Published contracts with outside vendors. I went looking for all of it across twelve National Design Studio programs and found none of it, not a single required document filed across any of the twelve. Every missing document is, by itself, a violation of federal law, and these are the laws Congress wrote after Watergate to make sure the federal government could not run secret surveillance programs on its own citizens. The only document they did publish is a privacy policy on TrumpRx, and it contradicts itself two paragraphs apart. The first paragraph says PostHog records the pages users visit and the medications they view. Two paragraphs later, it says they do not collect health or medical information. A federal health website is lying to the people using it and cannot even keep the lie consistent.

I wanted to know whether there were more sites the studio had not announced. Here is something almost nobody outside of security research knows. Every website with a padlock in the address bar has a certificate, and there is a rule that every certificate issued anywhere in the world must be logged in a public ledger the moment it is created, no exceptions. The side effect of that rule is that every new website on the internet, even ones nobody has announced and even ones hidden behind a login, leaves a public fingerprint the moment it is built. There is a free search engine called crt.sh where anyone can look up those logs. I typed in the studio's domain, and underneath the public sites I already knew about were roughly forty more, unannounced, with no links pointing to them from any public page. I started reading the names. Sites that looked like they belonged to the State Department. To NASA. To the Department of Homeland Security. And then two that stopped me cold: a working preview of vote. gov, and something called fbi-kirk-tipline. I checked the public ownership records for every subdomain, and every single one traced back to the same place, the Executive Office of the President. The National Design Studio had built pre-launch versions of websites belonging to other federal agencies and registered all of it to the White House.

All of it ran through the same private Cloudflare account. Using Cloudflare is not unusual for a federal agency. Running forty federal websites through one personal account is another matter. The login screen for the gated preview sites read: loveisaskill.cloudflareaccess. com.

Love is a skill is a phrase Gebbia has used publicly to describe Airbnb's design philosophy. It is the kind of name you give an account when it belongs to you personally, not when it belongs to the federal government, and federal infrastructure is supposed to be owned by the agency, not the person running it.

The people running this office are worth knowing about. In 2025, a federal judge ordered everyone at DOGE blocked from accessing personnel records at the Office of Personnel Management. Three people were granted exceptions and allowed to keep their access anyway. Greg Hogan was one of them. The administration argued he was essential to ongoing system work, the judge accepted it, and Hogan kept his access to federal personnel records while every other DOGE staffer was locked out. He has since moved from DOGE into the National Design Studio, where he was recently promoted to run Login. gov, the federal government's sign-in system. If you have ever applied for a federal job, requested your Social Security records online, or filed for federal benefits, you have used it. It scans your biometrics. More than 150 million Americans have accounts. The man who survived the OPM injunction now runs the front door to your federal identity.

A second name from the original DOGE cohort, Akash Bobba, now serves as the official security contact for the US African Development Foundation, a small independent agency the administration tried to dissolve by executive order earlier this year. The dissolution got tied up in court, the agency technically survived, but most of its staff was cleared out. Bobba now holds the credentials controlling the agency's website, its email, and its security configuration, which means a White House staffer has full visibility into who applies for grants, who gets approved, and who inside that agency is talking to whom.

In October 2025, Bobba got on a recorded conference call with state election directors from across the country and presented a federal voter registration system the studio was building. Voters would register through a federal portal, their identities verified through Login. gov, their citizenship verified through DHS's SAVE database, their registrations transmitted to the states. A state election director asked him what data the federal government would retain. He said, on a recording, in an election year: I don't know what they retain and what they are logging. The person presenting a federal voter registration system to state election directors did not know what data his own system kept on American voters.

After Florida 2000, Congress passed a law creating the Election Assistance Commission specifically because both parties agreed that voter registration cannot live inside the White House of any sitting president. The sitting president should not have visibility into who is checking their registration in the weeks before an election that decides whether they keep their job. So Congress built a wall, and today vote. gov is registered to the Election Assistance Commission. As of this writing, that wall is still standing.

But in the certificate logs, underneath the studio's unannounced sites, was a working preview of vote. gov, built inside the studio's staging environment, behind the same Cloudflare login, isolated deliberately. The certificate appeared on April 10, 2026. Weeks before that certificate appeared, this administration signed an executive order requiring DHS, the Social Security Administration, and the SAVE program to construct a federal citizenship-verified voter list, with a deadline of ninety days from signing. That deadline is weeks away. When the order was challenged in federal court, the Department of Justice told the judge the agencies named had not yet begun preparation and were still in the deliberation phase.

The certificate is dated April 10. DOJ told a federal court the infrastructure does not exist. Both of those cannot be true. Either DOJ lied to a federal judge, or the studio is building a replacement for the country's voter registration site without telling the agencies whose work it would replace. There is no third option.

While I was finishing this piece, I typed passports. gov directly into my browser, just to see what was there. A sign-in page came up: enter your email and we will send you a six-digit code. No State Department seal. No agency name. No privacy notice. Just a black button that says Send code. The owner of passports. gov is the Executive Office of the President, White House Office. The State Department does not own this domain. The security contact field is blank. The first certificate was issued May 5, three weeks ago. Based on what I can see in the staging environment, the next step will ask Americans to upload their passport photo through a White House-controlled website, on the same Cloudflare account, by the same people, with no privacy notice on file. A passport photo is biometric quality. Linked to your identity through Login. gov. Collected through infrastructure the White House owns, sealed from public view. They are building it this week.

Here is what the structure looks like from the outside. Section 3161 hides the staff so they do not appear on salary reports or file financial disclosures. The Executive Office of the President has no inspector general. There are zero required privacy disclosures filed across all twelve programs and no published contracts with any outside vendor. Forty federal websites run behind one personal Cloudflare account. And the Presidential Records Act seals everything for twelve years the day this administration ends, meaning until 2040, no one outside the White House can see who works there, what they collected, or where any of the data went.

What this office is doing is taking the parts of the federal government that touch you directly, your prescription, your voter registration, your passport, your federal login, out of the agencies that legally own them and rebuilding them on White House infrastructure. Vote. gov belongs to the Election Assistance Commission, and the studio built a copy. Passports belong to the State Department, and the studio is building a replacement this week. Login. gov belonged to GSA, and the studio's guy runs it now.

Trump has said publicly that this infrastructure is for other presidents, and he is right about that. It is the one thing in this story I take him at his word on. The infrastructure outlasts him. Whoever wins in 2028 inherits the websites, the vendors, the data, and the hardware, sealed and waiting.

There is a gold three-dimensional eagle on the homepage of TrumpRx, clutching a ribbon in its talons. You are looking at the eagle. Something is being built underneath the government you think you have, on infrastructure you cannot see, by people who answer to no one, collecting everything.

I wish, still, that I were being metaphorical."

~ The Drey Dossier

Additional references:

en.wikipedia.org/wiki/National…

en.wikipedia.org/wiki/TrumpRx

crt.sh/

#resist #resistance #protest #surveillance #news #broligarchy