‘It’s dangerous and it’s going to erode trust’: redesign of US government websites stokes surveillance fears
“The National Design Studio (NDS), a White House office led by Joe Gebbia and staffed by former Doge employees, has been quietly redesigning sensitive federal websites. The NDS’s approach, including the use of commercial tracking software and bypassing normal federal oversight, raises concerns about privacy, transparency, and potential misuse of data. The studio’s operations, funding, and contracting arrangements remain largely opaque, further fueling these concerns.
The National Design Studio, staffed by Doge veterans, installed visitor-tracking software on vital federal websites
An opaque White House office staffed largely by veterans of Elon Musk’s “department of government efficiency” (Doge) has quietly rebuilt some of the federal government’s most sensitive websites – for passport applications, voter registration, prescription-drug pricing and children’s savings – in ways critics say appear to violate federal law.
The National Design Studio (NDS) was established by a Donald Trumpexecutive order last August, and is led by Trump-aligned Airbnb co-founder Joe Gebbia and staffed by Doge veterans.
A Guardian investigation has found the office has apparently been developing or redeveloping sensitive federal websites, including those connecting Americans with prescription drugs, children’s savings accounts, passports and voter registration. The investigation corroborates and advances earlier reporting by the Drey Dossier, a YouTube investigative outlet.
The NDS built and now operates four public federal websites: ndstudio.gov, trumprx.gov, realfood.gov and trumpaccounts.gov. All four ran commercial visitor-tracking software, configured to evade the privacy tools many web users install, and none carry the public filings federal privacy law requires under laws including the Privacy Act of 1974 and the E-Government Act of 2002.
Separately, none of the NDS’s spending or its arrangements with outside vendors appears in USAspending, the federal contracting database, raising questions about how it is funded and overseen.
Separately, the NDS has also built and runs White House-controlled versions of services the US Congress assigned to other federal agencies, including a passport-application portal that bypasses the state department’s existing site, and a copy of voter-registration site vote.gov.
Combined, the sites route sensitive interactions Americans have with their government through infrastructure the White House apparently controls, and outside the reporting and accountability systems that normally cover federal agencies.
Analysis of the underlying source code for four of the websites found that on at least two of them, the studio installed a commercial tool called PostHogthat closely tracks what every visitor does on the site. Another tool, apparently made in-house, sends user data to a destination that is not visible on the public internet.
The NDS apparently removed this tracking software after the Guardian reached out to the White House with a detailed series of questions on the NDS’s operations on 4 June. On 17 June, White House spokesperson Liz Huston responded: “All National Design Studio personnel comply with all legal requirements in their important work to improve how citizens interact with their government.”
The studio has also built versions of services legally assigned to other agencies, including a passports website, and a copy of Login.gov, the gateway more than 150 million Americans use to sign in to federal services, the latter reportedly being overseen by a former Doge engineer who moved to the studio.
The NDS has also apparently built a copy of vote.gov, the federal voter-registration site that by law belongs to an independent bipartisan commission inside a website site only accessible with a White House login.
A federal voter-registration system run from inside the White House, with identity and citizenship checks routed through systems the administration controls, could let an incumbent see who is registering, or check their registration, in the weeks before an election.
Public ownership records maintained by the Cybersecurity and Infrastructure Security Agency (Cisa) list the executive office of the president as the registrant of the studio’s sites, including passports.gov and the vote.gov copy, meaning that the office controls the domains. Questions remain about the sort of access that this could give the White House to voter registration data.
John Davisson, senior counsel at the Electronic Privacy Information Center (EPIC), said the studio’s approach risked creating a second version “a whole sort of second skunk-works version of the federal government with all these shady tracking technologies and outside of the parameters of normal federal privacy laws”.
A skunk works is a figurative term for an experimental department within a larger organization with freedom to operate outside normal procedure.
The Guardian sent a detailed list of questions about the NDS to the White House Press Office for the attention of Gebbia and the White House chief of staff, Susie Wiles, who has oversight of the studio. Separately, the Guardian sent a request to Gebbia’s presumed email at the NDS (no addresses are publicly listed). There was no response.
The National Design Studio
Donald Trump created the NDS by executive order on 21 August 2025, ostensibly to overhaul federal websites and digital services. The office sits within the executive office of the president as a “temporary organization”, a designation that places it outside the Senate confirmation process, outside the financial disclosure system applied to most federal appointees and outside the inspector general’s jurisdiction, which covers cabinet departments.
The studio is staffed under the same hiring authority that ran Doge. The studio’s spending, and any contracts it holds with outside vendors, do not appear in the federal contracting database USAspending or in any other public-facing record of US government spending.
Gebbia, who became a multibillionaire after co-founding Airbnb, leads the office as chief design officer of the United States. He stepped back from any daily role at Airbnb in 2022, and joined the Tesla board that September.
Gebbia had reportedly been a “longtime Democratic donor” but in a lengthy January 2025 X post said that he had voted for Trump, casting the about-turn as a response to “living in the eggshell ages of these last few years. A time of silence, shaming, and fear, where calling a duck a duck meant you hated ducks”. Since then he has leaned into his support for rightwing causes, and also made a $2m donation to a Super PAC supporting Andrew Cuomo in his unsuccessful face-off against then candidate for New York mayor Zohran Mamdani.
In April 2025, he stepped down as chair of the board at airbnb.org, the company’s affiliated non-profit, following backlash to his taking a role at Doge.
Gebbia spent about six months at Doge in the first half of 2025, leading an initiative to digitise federal retirement records held at Iron Mountain for the federal office of personnel management. The executive order that created the role said that the office would be supported by an administrator who reports directly to White House chief of staff, Susie Wiles.
At least two other figures with Doge backgrounds work alongside him. Greg Hogan moved to the studio and, according to Drey Dossier reporting, was put in charge of Login.gov.
Akash Bobba, one of Musk’s original six Doge engineers, also apparently moved to the studio. His NDS email address is listed in the Cisa federal .gov registry as the security contact for the United States African Development Foundation, an agency unrelated to the studio’s stated mandate.
While there is very little transparency about NDS staffing, several photos and one video on the NDS website appear to depict as an employee Edward “Big Balls” Coristine, an early Doge employee who allegedly exposed the social security data of hundreds of millions of Americans on the way to becoming a pop culture punchline.
The studio’s funding and contracting arrangements are similarly opaque. A search of USAspending returns no record of the National Design Studio either as a paying agency or as a recipient of funds.
There is no public record of how the studio pays its developers, PostHog or any of the other commercial services its sites use. The hiring authority the studio operates under keeps its staff roster off the financial-disclosure system that covers most federal appointees, and the executive office of the president, which houses it, has no inspector general.
PostHog
The use of commercial tools on the sites departs from federal web-team conventions. Davisson, the senior counsel at the EPIC, described the studio’s work as “trying to establish their own sort of fly-by-night version of what federal agencies normally do with added tracking technologies and less oversight”.
This is most apparent in the NDS’s employment of user tracking prior to outreach from the Guardian, such that when a member of the public visited one of the studio’s federal websites, a commercial tool called PostHog recorded what they did on the page.
PostHog’s session-recording feature, which can replay every click, scroll and keystroke of a visitor’s time on a webpage, is installed in the code of all four sites and enabled on two of them. On the remaining two, the recording is held inactive only by a single setting inside PostHog’s dashboard, which can be changed by whoever controls the website at any time.
The Guardian emailed PostHog for comment on its apparent provision of tracking tools to the NDS, but received no response.
Adblockers and similar privacy tools are used by millions of people to limit what third parties can learn about them as they browse. Most of them work by intercepting requests that a visitor’s browser makes to known tracking services – and blocking them before any data leaves the device.
Website source code shows that PostHog has been configured on NDS-run sites to route analytics requests through an address on the federal website itself, rather than through PostHog’s own servers. Because the request appears to go to the site the user is already visiting, rather than to a recognisable third-party address, adblockers don’t flag it.
As PostHog explains in its own documentation, this works “because ad blockers haven’t visited your domain to catalog your setup. They don’t know what to block.” In other words, the technique is specifically designed to evade privacy tools – by presenting commercial tracking as ordinary website activity.
Serge Egelman, research director of the Usable Security and Privacy Group at the International Computer Science Institute (ICSI), explained: “The issue there is that over the last several years, due to abuses relating to this type of data collection, there’s basically an arms race with tools being released to allow consumers to try and exert some control over what data gets collected.”
Egelman said that he had not looked specifically at the PostHog tool or its deployment on federal websites, but he did point to a lawsuit involving the addition of commercial tracking technology to a state government website.
“I testified on Meta where the [Meta] Pixel was put on the California DMV website. And Meta was able to obtain information about when people are requesting, say, disability placards, reinstating a suspended license, things like that – sensitive information that’s actually protected by federal law.”
He added: “It’s not like someone going to the DMV website expects a private company to receive their personal data and then be allowed to use that however they want.”
PostHog comes with a separate feature called session recording, which plays back every click, scroll and keystroke a visitor makes, like a video recording of their entire visit. Princeton University researchers who first documented the technology in 2017 wrote that watching such a recording was “as if someone is looking over your shoulder”.
On the Trump Accounts and TrumpRX websites, the feature has been built into the page code and is held inactive only by a single setting inside PostHog’s dashboard. The NDS can turn it on at any time, on either site, without making changes in the underlying website code.
Separately, until the Guardian sought comment on this reporting, the NDS’s own website, ndstudio.gov, ran a 539-line piece of bespoke code that recorded visitors’ clicks, form entries and navigation; assigned each visitor a session identifier; and forwarded the captured data to an address that does not appear anywhere on the public internet. The script’s source code refers to it as AutoMonitor.
A 2002 federal law, the E-Government Act, requires any federal agency that collects personal information through a website to first publish a written privacy impact assessment explaining what it collects and where the information goes. The Privacy Act of 1974 requires a separate, parallel public notice, a “system of records notice”, describing the records the agency keeps. A 2010 office of management and budget memorandum extended both requirements to federal agencies’ use of commercial web-tracking tools, including the kind that PostHog provides.
The Guardian could find no such filings for the studio’s web-tracking layer. None of the four sites carry a privacy impact assessment naming PostHog or describing the IP addresses and on-site activity the tool collects. None of the four are covered by a system of records notice that addresses what is collected or where it goes.
The one published privacy instrument that relates to any of the four programmes, a treasury notice for the Trump Accounts programme, describes how the children’s-investment programme is administered but does not name PostHog and does not describe the tracking on trumpaccounts.gov at all.
Davisson, the EPIC attorney, called the studio’s failure to publish such a notice “a pretty clearcut violation of section 208” of the E-Government Act, adding: “There’s just no suggestion that they’re trying to comply in good faith with any of their obligations when it comes to the collection of personal information.”
It’s not known what data was collected from users of the government websites while the tools were live, whether it was retained and who has custody of the data.
Vote.gov
Some of the NDS’s work is even more opaque, including an apparent redesign of the federal government’s voting registration hub.
A sign-in page run by the studio on a White House-controlled web address carries the title “Log in to vote.gov preview”. Above the password field is a notice: “For official use only. Actions will be recorded in accordance with applicable law.”
Vote.gov is a federal voter registration website. By law it belongs to the Election Assistance Commission (EAC), an independent, bipartisan body that Congress established in 2002 after the disputed 2000 election. Congress created the commission specifically so no sitting president would control the federal voter-registration system.
The studio’s version has been live on White House systems since 17 September 2025, according to public records of secure web addresses.
Late last year, the NDS began presenting its system to state election directors.
The first such briefing, on 17 October, was on a call of the National Association of State Election Directors (NASED). Call notes summarising the meeting record members representing states of both parties expressing“serious concerns with this project not complying with state law” and noting that “the developers do not seem to want to spend the time to understand election official concerns”.
Brianna Schletz, the Election Assistance Commission’s executive director, reportedly told state directors on the same call that the conversations were “informal”, and that commissioners would later vote on whether to stay involved. No record of any such vote has since appeared in the commission’s public proceedings.
Asked for comment by the Guardian, a NASED spokesperson, Amy Cohen, confirmed by email that “NASED held a call in October joined by representatives from the National Design Studio and members of the EAC leadership team”.
Cohen added: “NASED does not have a position on this project. NASED has had no further communication with the National Design Studio on this or any other project; both NASED as an organization and our members in their individual capacities engage with the EAC regularly about a variety of different topics and projects.”
Six days after the 17 October meeting, on 23 October, a National Design Studio engineer, Akash Bobba, reportedly briefed the system on a recorded conference call organised by the National Association of Secretaries of State. Under the studio’s design, voters would be required to verify their identity through Login.gov, the federal sign-in gateway, and to have their citizenship checked against a database run by the Department of Homeland Security.
Asked on the call what the federal government would retain of the personal information voters entered into the system, Bobba reportedly said that “clear data retention policies” would be given to states ahead of implementation, but conceded: “I don’t know what they retain and what they are logging.”
The Election Assistance Commission has been part of the discussions. Its chair, Donald Palmer, reportedly said the commission was “facilitating discussion with state election officials on modernizing an accessible tool to provide a verifiable digital registration option”.
The Guardian contacted the Election Assistance Commission for comment but received no response.
The EPIC’s Davisson said: “With vote.gov, that’s the province of the Election Assistance Commission. But if you’re centralizing that in the White House, the White House is going to have sort of access to that backbone of data.
He added: “Doing that outside of the appropriate channels, I think, is definitely going to – it’s dangerous and it’s going to erode trust.”
The Help America Vote Act of 2002 put voter-registration administration under an independent bipartisan commission, structurally outside the reach of any sitting president. The studio’s version appears to collapse this arm’s-length arrangement.
The Guardian has not seen what is on the other side of the sign-in, but published Cisa records show who runs the system it lives on, which is under White House control. The commission Congress put in charge of vote.gov has not decided to formally participate in the initiative. The build itself is on White House systems.
Passports and money
The studio has also built or taken control of websites that belong, by law or by convention, to other federal agencies. The sites handle some of the most sensitive personal information Americans give to the government.
Passports.gov is now run from inside the White House, not from the state department. The state department operates US passport services through its existing site at travel.state.gov. The studio’s version collects identity information from people applying for passports. It carries no privacy notice. Developer test code was left running on the live page.
In response to a request for comment, a state department spokesperson wrote: “The Department of State is working closely with the White House to deliver the best possible service for our passport customers while safeguarding US national security.”
They added: “US passport books and passport cards – and the programs and websites that support them – represent the gold standard in secure international travel documents, underpinned by state-of-the-art security and technology.”
They referred additional questions to the White House.
Trumpaccounts.gov is the federal website for the children’s investment programme created in last summer’s tax legislation. The treasury department, which administers the programme, is the registrant of record for the site. But the site itself runs through the same White House-controlled commercial account as the studio’s own sites: ndstudio.gov, the prescription-drug site trumprx.gov, the food-policy site realfood.gov and others. The treasury department did not respond to a request for comment.
Login.gov is the federal sign-in gateway that more than 150 million Americans use to access services from social security to tax filing. The studio’s preview of vote.gov, described in the previous section, uses Login.gov to verify the identities of visitors.
The Guardian contacted the General Services Administration (GSA), which operates Login.gov, for comment.
A spokesperson replied in an email: “Login.gov is committed to the highest standards of privacy, transparency, and security. Our Privacy Impact Assessment was most recently reviewed in March 2026. All personnel supporting Login.gov, including detailees, are required to comply with applicable GSA policies, security requirements, privacy controls, and governance processes.”
The NDS, meanwhile, seems to be expanding its footprint across more government websites.
In late May, three new addresses tied to the NDS appeared in the public records: chat.staging.ndstudio.gov, onboarding.ndstudio.gov and upload.ndstudio.gov.“
No comments:
Post a Comment