Anonymity and the Internet

[HVC]

"Thinking of the children" to push through poorly thought out (or worse malicious) legislation is so cliche even the Simpsons were making fun of it 40 years ago. Sad that it still works on so many.

[Sheilbh]

Regulation is not a buzz word.  And you do a lot of damage by suggesting that it so.  Not the first time and I really wish you would think more carefully about your broad generalizations.

You empower those who think regulation is evil. Much better to do what you did at the beginning of your post to critique the regulation and suggest ways in which it could be made more robust.

I think I do zero damage by having trenchent views and expressing them here

But on the buzzword point I think part of this is a difference in perspective. I'm in Europe and I work in tech and digital law. Regulation absolutely s a buzzword here. There are sweeping regulations that have been brought on tech companies in the last 10 years (all following the justifiable and impressive success of GDPR) - I think the desire to regulate and say we have regulated has taken priority over questions of what the purpose, effectiveness and trade off of those regulations are. This is the point that Breton (and Draghi) have made. There were big celebrations within EU official circles and it was a big point that VDL made that Europe was the first to regulate AI (not really true but I'll leave that to one side).

The purpose of the regulation was to pass a regulation to say we're first. I think part of it is just the European self-image of the EU as a regulatory super-power - I've literally seen this in presentations from European civil servants that America is capitalist and leads the world in developing new technology quickly without regarde to risk, China leads the world in implementing it in support of political and  very "national security" objectives and Europe leads the world in ethics and regulation. I'd add that factually I don't think that's true recently (lots of the world copied GDPR - no-one except the UK has copied the DSA, DMA, AI Act etc).

But also to Breton and Draghi's point why are we celebrating regulating the technologies of the future when we don't actually have any European champions to regulate? It is a chimera of tech sovereignty - and I'd question how meaningfully the Chinese and American tech companies we are relying on are meaningfully complying with those regulations. And as Draghi especially has flagged these regulations meaningfully increase the cost and difficulty for European competitors to emerge. Just within the last few years the EU has passed or started drafting the Data Act, the AI Act, the Cyber Resilience Act, the Digital Markets Act, the Digital Services Act, the EU Accessibility Act, the Digital Fairness Act - there's at least another one or two data and cyber security regulations that are coming but I can't remember. Relatively few businesses will be impacted by all of them - but even just assessing what does or doesn't apply is a lot of work and despite covering very, very similar concepts/issues they don't all fit together ("without regard to x Act/Regulation" does a lot of lifting in the drafting of these). But as I say, the regulation is the point. It is the end rather than the means (and this despite Draghi's recommendations).

I'm reasonably sure that the government already has ways to do entity resolution to associate anonymous accounts with people, but enabling all vendors to do it by removing Internet anonymization would be really bad.  ChatGPT already has a very good read on my personality, strengths and weaknesses.  The idea that, for example, a sales agent can do an AI query on my personality before deciding on what buttons to push to make a sale feels dystopian.

Yeah. On the dystopian front I think the conversation around personalised advertising within AI is interesting for exactly those reasons and it is very much the next frontier in the online behavioural advertising world.

To my eyes, it seems to be regulating users, though. Not big tech. It gifts big tech (and presumably the government) lots of information and helps big tech cover themselves in case of lawsuits. It does nothing to benefit the public, though, only cost them privacy, time, and giving up even more data to more "partners".

I think this is how it entrenches their dominance because they way it's broadly been implemented is as "duties" on the big platforms. It is for them to determine and consider how much they really want to spend on fine grained judgements. It is strengthening their position as gatekeepers/walled gardens - which lets them capture more economic value, which lets them strengthen their dominance etc.

I'd add from a Euro-perspective tax helps but it's the reason OpenAI, Amazon, Meta, TikTok, Google etc all have their European headquarters in Dublin or Luxembourg because it means they interact with those regulators on the day-to-day. Even with the best will in the world and assuming there was no regulatory capture (and there 100% is) we're talking regulators of very small member states taking point dealing with some of the biggest, most technically advanced and well-funded companies in the world. In a way I also think the American model of regulation which you see through state AGs, but also the SEC, may be more effective - where regulation is effectively a form of law enforcement. They hire lots of lawyers who are basically prosecutors, they have warrant powers etc.

The UK regulator on data for example is the best funded in Europe, and I think broadly one of the most technologically sophisticated (the French are also excellent). I was at an event with the former Information Commissioner a few years ago and asked about this and she said the biggest shock was just how much they had to spend on litigation. Because European regulators are administrators - the investigation is led by a case worker with some rights to information, not a prosecutor and not quite as strong as warrant power (the UK regulators now actually have warrant power). There is a trend of European regulators going pretty gung-ho and then it getting overturned on appeal/as soon as judges get involved because they're kind of administrators who keep on fucking up procedurally rather than prosecutors building a case.

In part I think this also reflects the very, very broad remit of a lot of European tech law - so lots of focus is spent on, for example, public sector uses like hospitals and schools or providing guidance for charities or small businesses. All of which is really important but I think needs a slightly different skillset and mindset than the sharp-elbowed, aggressive approach needed with big tech.

[Crazy_Ivan80]

To my eyes, it seems to be regulating users, though. Not big tech. It gifts big tech (and presumably the government) lots of information and helps big tech cover themselves in case of lawsuits. It does nothing to benefit the public, though, only cost them privacy, time, and giving up even more data to more "partners".

indeed.

[viper37]

I came across this article online recently: Security software CEO warns: We could be facing the 'death of anonymity online'

The specific article itself doesn't matter that much, but the general trend towards age verification for adult stuff is real. Similarly, there's the ongoing back and forth in the EU about Chat Control.

I'm curious if any of you have any thoughts or insight on possible less-or-no-anonymity-on-the-net scenarios and potential impacts.

It seems to me that the primary framing of the public discourse is around the following:

• It will allow us to keep children from accessing porn (and other stuff deemed harmful).
• It'll make loads of adults feel weird about accessing porn becuase it'll be linked to their actual identities somehow.
• It'll allow governments way too much insight into political speech and that's going to lead to bad places.
• Something about free speech.

But what are the other possible ramifications?

What's the possible impact on social media if anonymity is curtailed? Will it render large parts of the social media economy reliant on bot farms and the like inoperative? How much of an impact will it have on foreign (or domestic) online influence operations?

How big of a threat is it to the bottom lines of social media companies like Meta, Twitter, etc (and therefore, how much should we expect to see them oppose it)? Or is it not a threat?

To what degree will malicious (or simply profit seeking) actors be able to get personal data on individual people if there's no anonymity? And is it actually that different from what is available to Google, Meta, Microsoft et. al. now?

I'm curious if any of you have any insight or have read any compelling analysis on the topic?

This whole puritanical idea of keeping porn out of children hands is so stupid.

Our data keeps getting leaked by corporations and government who don't invest as much as they should in security, or use antiquated practices.

And we have seen the danger with authoritarian countries such as China, Russia and the US of allowing governments easy access to dissenter's speech.

ICE is requesting information on Reddit's Canadian users who criticized its agents.  The US govt easily censored free speech on social media platforms and traditional media for general users, it's now going after private users.

The Canadian government is going to do the same at some point, don't kid yourself. It's not about porn or pedophilia.  

[HisMajestyBOB]

Probably prudent to put a copy of TailsOS on a USB stick.

[crazy canuck]

"Thinking of the children" to push through poorly thought out (or worse malicious) legislation is so cliche even the Simpsons were making fun of it 40 years ago. Sad that it still works on so many.

Framing regulation in that way is beyond cliché. It's just fucking lazy thinking.

[crazy canuck]

I came across this article online recently: Security software CEO warns: We could be facing the 'death of anonymity online'

The specific article itself doesn't matter that much, but the general trend towards age verification for adult stuff is real. Similarly, there's the ongoing back and forth in the EU about Chat Control.

I'm curious if any of you have any thoughts or insight on possible less-or-no-anonymity-on-the-net scenarios and potential impacts.

It seems to me that the primary framing of the public discourse is around the following:

• It will allow us to keep children from accessing porn (and other stuff deemed harmful).
• It'll make loads of adults feel weird about accessing porn becuase it'll be linked to their actual identities somehow.
• It'll allow governments way too much insight into political speech and that's going to lead to bad places.
• Something about free speech.

But what are the other possible ramifications?

What's the possible impact on social media if anonymity is curtailed? Will it render large parts of the social media economy reliant on bot farms and the like inoperative? How much of an impact will it have on foreign (or domestic) online influence operations?

How big of a threat is it to the bottom lines of social media companies like Meta, Twitter, etc (and therefore, how much should we expect to see them oppose it)? Or is it not a threat?

To what degree will malicious (or simply profit seeking) actors be able to get personal data on individual people if there's no anonymity? And is it actually that different from what is available to Google, Meta, Microsoft et. al. now?

I'm curious if any of you have any insight or have read any compelling analysis on the topic?

This whole puritanical idea of keeping porn out of children hands is so stupid.

Our data keeps getting leaked by corporations and government who don't invest as much as they should in security, or use antiquated practices.

And we have seen the danger with authoritarian countries such as China, Russia and the US of allowing governments easy access to dissenter's speech.

ICE is requesting information on Reddit's Canadian users who criticized its agents.  The US govt easily censored free speech on social media platforms and traditional media for general users, it's now going after private users.

The Canadian government is going to do the same at some point, don't kid yourself. It's not about porn or pedophilia. 

Oh, for fuck sakes, the stupidity of this is astounding.

People share so much fucking personal information online it's ridiculous.  People post their personal views online all the time in a way that is easily traceable to them.

Are you really so naïve as to not understand that state actors can already obtain the information about who is posting information online.

Do yourself a favour and look up what a Norwich Order is.  I can walk into court today and get an order, revealing the identity of anyone in the world who has allegedly defamed my client.

You guys are living in an infantile fantasy that never existed. Most of you wave around the principle of free speech without even understanding what it is you're talking about or the legal context in which it exists.  And you guys are the smart ones in society.

[viper37]

I came across this article online recently: Security software CEO warns: We could be facing the 'death of anonymity online'

The specific article itself doesn't matter that much, but the general trend towards age verification for adult stuff is real. Similarly, there's the ongoing back and forth in the EU about Chat Control.

I'm curious if any of you have any thoughts or insight on possible less-or-no-anonymity-on-the-net scenarios and potential impacts.

It seems to me that the primary framing of the public discourse is around the following:

• It will allow us to keep children from accessing porn (and other stuff deemed harmful).
• It'll make loads of adults feel weird about accessing porn becuase it'll be linked to their actual identities somehow.
• It'll allow governments way too much insight into political speech and that's going to lead to bad places.
• Something about free speech.

But what are the other possible ramifications?

What's the possible impact on social media if anonymity is curtailed? Will it render large parts of the social media economy reliant on bot farms and the like inoperative? How much of an impact will it have on foreign (or domestic) online influence operations?

How big of a threat is it to the bottom lines of social media companies like Meta, Twitter, etc (and therefore, how much should we expect to see them oppose it)? Or is it not a threat?

To what degree will malicious (or simply profit seeking) actors be able to get personal data on individual people if there's no anonymity? And is it actually that different from what is available to Google, Meta, Microsoft et. al. now?

I'm curious if any of you have any insight or have read any compelling analysis on the topic?

This whole puritanical idea of keeping porn out of children hands is so stupid.

Our data keeps getting leaked by corporations and government who don't invest as much as they should in security, or use antiquated practices.

And we have seen the danger with authoritarian countries such as China, Russia and the US of allowing governments easy access to dissenter's speech.

ICE is requesting information on Reddit's Canadian users who criticized its agents.  The US govt easily censored free speech on social media platforms and traditional media for general users, it's now going after private users.

The Canadian government is going to do the same at some point, don't kid yourself. It's not about porn or pedophilia. 

Oh, for fuck sakes, the stupidity of this is astounding.

People share so much fucking personal information online it's ridiculous.  People post their personal views online all the time in a way that is easily traceable to them.

Are you really so naïve as to not understand that state actors can already obtain the information about who is posting information online.

Do yourself a favour and look up what a Norwich Order is.  I can walk into court today and get an order, revealing the identity of anyone in the world who has allegedly defamed my client.

You guys are living in an infantile fantasy that never existed. Most of you wave around the principle of free speech without even understanding what it is you're talking about or the legal context in which it exists.  And you guys are the smart ones in society.

You can obtain a court order to know my real identity and where I live.

I did not post here publicly for everyone to see, inviting the highest bidder to get everything they need to impersonate me at my bank over the phone.

No one is supposed to have public access to my SSN, driver's license with picture, RAMQ id and so on.

I keep reasonable stepts to maintain a degree of privacy, I'll be taking some more later this summer/fall.

[Syt]

https://thedreydossier.substack.com/p/i-found-a-second-votegov-and-its

I found a second vote.gov — and it's registered to the White House

There is a moment in every investigation where the thing you have been looking for finds you instead. Mine found me on TrumpRx.

If you have not been to TrumpRx, it is a federal drug pricing website that looks like Wix and a Pinterest board threw up on each other. There is a gold three-dimensional eagle on the homepage clutching a ribbon in its talons that says TrumpRx. There are pills floating across the screen like a pharmaceutical screensaver. The tagline, and I am quoting directly from a website owned by the United States government, invites you to TrumpRx the price. It has the typography of a Brooklyn juice bar and the self-regard of someone who has never been told no. It is, in every conceivable aesthetic sense, a catastrophe. And while you are busy looking at the eagle, the website is busy looking at you. I wish I were being metaphorical.

In the footer of the page, beneath all of it, I found something I have never seen on a federal government website in my life. A byline. The government does not do this. The IRS does not sign its work. The FBI does not. Social Security does not. No federal agency that has ever built a website has felt the need to take credit for it. In plain bold text, sitting directly above the privacy policy, it said: Designed and Engineered in D.C. by National Design Studio. So I clicked through.

The National Design Studio was created by executive order in August 2025. Its job, officially, is to redesign how Americans experience their government. Its leader is Joe Gebbia, cofounder of Airbnb, which is to say he is a man who looked at the American home and saw an untapped revenue stream. If anyone understands how to improve public spaces, it is the company that took residential ones and made sure the public could never afford them again. He reports directly to White House Chief of Staff Susie Wiles, which is a strange place to house a website design agency. A technology office that builds federal websites should answer to the General Services Administration, or at minimum to the agencies whose websites it is building. Instead it answers to the person who controls access to the President. His position requires no Senate confirmation, which means he files no financial disclosures, which means the office he runs does not appear in any federal procurement database, which means as far as the official record is concerned, it barely exists.

Which, as I was about to find out, was entirely the point.

The structure of the National Design Studio will be familiar to anyone who has been paying attention. Staff are hired under a federal authority called Section 3161, written for temporary advisory bodies, which means most of them are part-time advisors or volunteers. They do not appear on the White House salary report. They answer to no inspector general, because the Executive Office of the President does not have one. If that sounds familiar, it should, because it is exactly how DOGE was run.

Gebbia spent six months at DOGE before taking his current role. The senior staff at the National Design Studio, when you pull the bylines from their blog posts and run the names against court filings, come back from the same place, DOGE, the same DOGE currently named as defendant in multiple federal lawsuits for letting engineers without proper security clearance access Social Security data and Department of Homeland Security data, and for sharing sensitive federal information with outside parties. The National Design Studio is not a successor to DOGE. It is DOGE with a better logo and a design philosophy.

Now, back to TrumpRx looking at you.

Every webpage you load is making phone calls. Not to people, but to servers around the internet, dozens per second, all invisible to you. When I opened TrumpRx, I right-clicked the page, opened the browser's built-in inspector, and started reading the list. Mixed in with the routine traffic was a name I recognized: PostHog. PostHog is a Silicon Valley analytics company whose entire business model is recording what visitors do on a website and reporting it back to whoever owns the site. Mouse movements, clicks, scrolls, keystrokes. I had not typed anything. I had not clicked anything. I had just opened the page, and it was already on the phone with PostHog telling them about me.

The recordings are not anonymized. IP addresses are not stripped. And the way it is configured, the data looks to your browser like it is going back to TrumpRx, but it is actually being forwarded behind the scenes to PostHog. That is a technique used to slip past ad blockers by disguising where the data is really going, and it is not something I expected to find on a federal health website. So I went and looked at the other sites the studio had built. Real Food, the federal food policy site. Trump Accounts, the children's savings program. The studio's own homepage, ndstudio.gov. All of them had the same vendor, the same setup, IP addresses not stripped, the same forwarding trick. And on ndstudio.gov alone, running alongside PostHog, was something someone had built entirely by hand. Five hundred and forty lines of custom JavaScript with a name embedded directly in the code: AutoMonitor. What it appears to do is rewire the part of the browser that handles how a page talks to the outside world, so that every conversation the page has with any server gets copied and forwarded to a private backend with no public presence. The studio has the structural ability to keep a copy of every recording as it passes through their infrastructure. I cannot prove they are keeping one. The pipe is built that way on purpose, and that is the part that matters.

When the federal government collects information about citizens, the law requires specific things first. Privacy disclosures. Notices in the Federal Register. Published contracts with outside vendors. I went looking for all of it across twelve National Design Studio programs and found none of it, not a single required document filed across any of the twelve. Every missing document is, by itself, a violation of federal law, and these are the laws Congress wrote after Watergate to make sure the federal government could not run secret surveillance programs on its own citizens. The only document they did publish is a privacy policy on TrumpRx, and it contradicts itself two paragraphs apart. The first paragraph says PostHog records the pages users visit and the medications they view. Two paragraphs later, it says they do not collect health or medical information. A federal health website is lying to the people using it and cannot even keep the lie consistent.

I wanted to know whether there were more sites the studio had not announced. Here is something almost nobody outside of security research knows. Every website with a padlock in the address bar has a certificate, and there is a rule that every certificate issued anywhere in the world must be logged in a public ledger the moment it is created, no exceptions. The side effect of that rule is that every new website on the internet, even ones nobody has announced and even ones hidden behind a login, leaves a public fingerprint the moment it is built. There is a free search engine called crt.sh where anyone can look up those logs. I typed in the studio's domain, and underneath the public sites I already knew about were roughly forty more, unannounced, with no links pointing to them from any public page. I started reading the names. Sites that looked like they belonged to the State Department. To NASA. To the Department of Homeland Security. And then two that stopped me cold: a working preview of vote.gov, and something called fbi-kirk-tipline. I checked the public ownership records for every subdomain, and every single one traced back to the same place, the Executive Office of the President. The National Design Studio had built pre-launch versions of websites belonging to other federal agencies and registered all of it to the White House.



All of it ran through the same private Cloudflare account. Using Cloudflare is not unusual for a federal agency. Running forty federal websites through one personal account is another matter. The login screen for the gated preview sites read: loveisaskill.cloudflareaccess.com. Love is a skill is a phrase Gebbia has used publicly to describe Airbnb's design philosophy. It is the kind of name you give an account when it belongs to you personally, not when it belongs to the federal government, and federal infrastructure is supposed to be owned by the agency, not the person running it.

The people running this office are worth knowing about. In 2025, a federal judge ordered everyone at DOGE blocked from accessing personnel records at the Office of Personnel Management. Three people were granted exceptions and allowed to keep their access anyway. Greg Hogan was one of them. The administration argued he was essential to ongoing system work, the judge accepted it, and Hogan kept his access to federal personnel records while every other DOGE staffer was locked out. He has since moved from DOGE into the National Design Studio, where he was recently promoted to run Login.gov, the federal government's sign-in system. If you have ever applied for a federal job, requested your Social Security records online, or filed for federal benefits, you have used it. It scans your biometrics. More than 150 million Americans have accounts. The man who survived the OPM injunction now runs the front door to your federal identity.

A second name from the original DOGE cohort, Akash Bobba, now serves as the official security contact for the US African Development Foundation, a small independent agency the administration tried to dissolve by executive order earlier this year. The dissolution got tied up in court, the agency technically survived, but most of its staff was cleared out. Bobba now holds the credentials controlling the agency's website, its email, and its security configuration, which means a White House staffer has full visibility into who applies for grants, who gets approved, and who inside that agency is talking to whom.



In October 2025, Bobba got on a recorded conference call with state election directors from across the country and presented a federal voter registration system the studio was building. Voters would register through a federal portal, their identities verified through Login.gov, their citizenship verified through DHS's SAVE database, their registrations transmitted to the states. A state election director asked him what data the federal government would retain. He said, on a recording, in an election year: I don't know what they retain and what they are logging. The person presenting a federal voter registration system to state election directors did not know what data his own system kept on American voters.

After Florida 2000, Congress passed a law creating the Election Assistance Commission specifically because both parties agreed that voter registration cannot live inside the White House of any sitting president. The sitting president should not have visibility into who is checking their registration in the weeks before an election that decides whether they keep their job. So Congress built a wall, and today vote.gov is registered to the Election Assistance Commission. As of this writing, that wall is still standing.

But in the certificate logs, underneath the studio's unannounced sites, was a working preview of vote.gov, built inside the studio's staging environment, behind the same Cloudflare login, isolated deliberately. The certificate appeared on April 10, 2026. Weeks before that certificate appeared, this administration signed an executive order requiring DHS, the Social Security Administration, and the SAVE program to construct a federal citizenship-verified voter list, with a deadline of ninety days from signing. That deadline is weeks away. When the order was challenged in federal court, the Department of Justice told the judge the agencies named had not yet begun preparation and were still in the deliberation phase.



The certificate is dated April 10. DOJ told a federal court the infrastructure does not exist. Both of those cannot be true. Either DOJ lied to a federal judge, or the studio is building a replacement for the country's voter registration site without telling the agencies whose work it would replace. There is no third option.

While I was finishing this piece, I typed passports.gov directly into my browser, just to see what was there. A sign-in page came up: enter your email and we will send you a six-digit code. No State Department seal. No agency name. No privacy notice. Just a black button that says Send code. The owner of passports.gov is the Executive Office of the President, White House Office. The State Department does not own this domain. The security contact field is blank. The first certificate was issued May 5, three weeks ago. Based on what I can see in the staging environment, the next step will ask Americans to upload their passport photo through a White House-controlled website, on the same Cloudflare account, by the same people, with no privacy notice on file. A passport photo is biometric quality. Linked to your identity through Login.gov. Collected through infrastructure the White House owns, sealed from public view. They are building it this week.

Here is what the structure looks like from the outside. Section 3161 hides the staff so they do not appear on salary reports or file financial disclosures. The Executive Office of the President has no inspector general. There are zero required privacy disclosures filed across all twelve programs and no published contracts with any outside vendor. Forty federal websites run behind one personal Cloudflare account. And the Presidential Records Act seals everything for twelve years the day this administration ends, meaning until 2040, no one outside the White House can see who works there, what they collected, or where any of the data went.

What this office is doing is taking the parts of the federal government that touch you directly, your prescription, your voter registration, your passport, your federal login, out of the agencies that legally own them and rebuilding them on White House infrastructure. Vote.gov belongs to the Election Assistance Commission, and the studio built a copy. Passports belong to the State Department, and the studio is building a replacement this week. Login.gov belonged to GSA, and the studio's guy runs it now.

Trump has said publicly that this infrastructure is for other presidents, and he is right about that. It is the one thing in this story I take him at his word on. The infrastructure outlasts him. Whoever wins in 2028 inherits the websites, the vendors, the data, and the hardware, sealed and waiting.

There is a gold three-dimensional eagle on the homepage of TrumpRx, clutching a ribbon in its talons. You are looking at the eagle. Something is being built underneath the government you think you have, on infrastructure you cannot see, by people who answer to no one, collecting everything.

I wish, still, that I were being metaphorical.


SOURCES CITED
NDS Infrastructure Map — my live working github map of every National Design Studio subdomain I have found, filterable by status, registrant, and parent domain. If you want to retrace this investigation or watch new subdomains appear in real time, start here.

The Front Door: NDS and Its Sites
National Design Studio (ndstudio.gov) — the office's own homepage. The /work portfolio page lists every site they have built or are building, including TrumpRX, Real Food, Genesis Mission, Trump Accounts, Tech Force, Safe DC, Trump Card, and OPM Digital Retirements.

TrumpRx.gov — the federal drug pricing site. Footer links to ndstudio.gov via "National Design Studio."

RealFood.gov — MAHA nutrition site. Same NDS footer credit.

TrumpAccounts.gov — children's savings account program. Same NDS footer.

Genesis Mission (genesis.energy.gov) — the DOE/Oracle AI initiative. Oracle is listed as a partner on the homepage alongside NVIDIA, OpenAI for Government, IBM, Microsoft, AMD, AWS, and Google. Footer reads "DESIGNED IN D.C. BY THE NATIONAL DESIGN STUDIO."

Passports.gov — currently a sign-in wall with no public footer credit, but the certificate transparency log ties it to the same infrastructure pattern (see below).

Executive Orders and Founding Documents
Executive Order 14338 — establishing the National Design Studio (August 21, 2025) — the order that created NDS, named Joe Gebbia chief design officer reporting to Chief of Staff Susie Wiles, and granted it broad authority to "design and redesign" federal digital services.

Genesis Mission executive order (November 24, 2025) — the order directing DOE to build the federal AI platform with Oracle as integration partner.

Personnel and Hiring Authority
Joe Gebbia named NDS chief design officer (Reuters) — Reuters' reporting describing NDS as "a stripped-down successor to the controversial Department of Government Efficiency."

Section 3161 of Title 5, U.S. Code — temporary organizations — the federal statute NDS is using to hire staff as advisors to a "temporary organization," which bypasses normal civil service hiring, salary disclosure, and ethics review timelines.

Akash Bobba — DOGE engineer background (Wired) — original reporting on the DOGE engineering cohort, including Bobba.

dotgov-data registry (cisagov/dotgov-data on GitHub) — CISA's authoritative repository for every federal .gov domain. The current-federal.csv file at this raw URL shows ndstudio.gov, passports.gov, realfood.gov, and trumprx.gov all registered to the Executive Office of the President, White House Office. The same file shows usadf.gov (United States African Development Foundation) listing [email protected] as its official security contact — meaning an independent federal agency's cybersecurity point of contact is a personal-named mailbox at the White House design shop.

get.gov data page — the public landing page that links to the CISA registry files.

Certificate Transparency Logs
crt.sh search for %.ndstudio.gov — 979 certificates on file as of May 26, 2026. Includes subdomains for fbi-kirk-tipline.previews, vote-gov.previews and vote-gov-ndstudio.previews, trump-accounts-splashpage.previews, board-of-peace-assets, war.previews, and dozens of other staging environments that are not publicly announced.

(crt.sh crashes all the time, hence my github repo at the top ^ )
crt.sh search for passports.gov — 26 certificates showing the rollout timeline: original cert May 5, staging/auth/api subdomains spun up May 22, and nine new certs for photo.passports.gov and photos.passports.gov issued in a single hour on May 26.

Cloudflare Access login wall at loveisaskill.cloudflareaccess.com — the SSO portal that gates vote-gov.previews.ndstudio.gov. The URL resolves to a Cloudflare Access login wall and will request an email/authentication; you cannot bypass it without credentials, but its existence confirms the preview is hosted on White House-controlled infrastructure rather than the Election Assistance Commission's systems.

The AutoMonitor Script
The AutoMonitor source file (cdn.infra.ndstudio.gov) — the 539-line JavaScript file that defines class AutoMonitor, generates a session ID on line 7, and posts telemetry to analytics.infra.ndstudio.gov/metrics on line 8. Deployed on ndstudio.gov and confirmed on genesis.energy.gov.

PostHog analytics on TrumpRx — TrumpRx privacy policy — TrumpRx's own privacy policy confirms it uses PostHog for usage analytics while also stating it does not collect "health or medical information." PostHog by default records full session replays, including keystrokes and mouse movement, unless explicitly disabled.

PostHog session recording documentation — PostHog's own docs describing what session replay captures by default.

DOGE Lineage and Court Record
American Federation of Teachers v. Bessent — the lawsuit challenging DOGE access to Treasury Department systems, including IRS taxpayer data. Court filings document the specific systems DOGE personnel were granted read/write access to.

Court ruling on DOGE Privacy Act violations (CourtListener docket) — full docket including the preliminary injunction findings.

FBI Utah Valley shooting page (fbi.gov/utahvalleyshooting) — the FBI's official public intake page for Kirk shooting tips. Tips went through the existing 1-800-CALL-FBI line and tips.fbi.gov, generating over 11,000 tips in 48 hours.

Privacy Framework Documents That Should Exist And Do Not
E-Government Act of 2002 — Privacy Impact Assessment requirement — the law requiring federal agencies to publish a PIA before deploying any system that collects personally identifiable information.

OMB Circular A-130 — federal information policy — the binding policy requiring System of Records Notices (SORNs) for any federal system maintaining personally identifiable records.

Federal Register SORN search — search for "National Design Studio" returns zero published SORNs as of May 26, 2026.

Iron Mountain and the Retirement Pipeline
Iron Mountain limestone mine retirement processing (Washington Post) — the original "sinkhole of bureaucracy" reporting on OPM's paper-based retirement processing facility.

OPM Digital Retirements (retire.opm.gov) — the NDS-built replacement system listed in their portfolio. Linked from ndstudio.gov/work.

Is this something? Is this nothing?

[Crazy_Ivan80]

Authoritarians, you've got to love them...