Daylila

Cybersecurity · Monday, 29 June 2026

01 · Briefing · what happened

The government rebuilt its own websites — and quietly fitted them to watch you

Cybersecurity 4 min 62 sources

A White House office rebuilt sensitive federal sites for passports, voter registration and drug pricing, fitting at least two with tracking software set to dodge privacy tools — and skipping the privacy filings the law requires. Plus a crypto "recovery" scam that's really malware, and a Chinese AI that's catching up at finding software flaws.

Key takeaways

  • A White House office rebuilt sensitive federal websites — passports, voter registration, drug pricing — and fitted at least two with tracking software set to dodge browser privacy tools, while skipping the privacy filings the law has required since 1974.
  • When you have no choice of channel, your own caution can't protect you — only the rules binding whoever built the channel can; the missing accountability filings are the real failure, not just the tracking code.
  • A separate scam targets people who lose access to their crypto: fake "recovery tools" that are really malware, built to strike at the panicked moment when you stop checking who made the software.

The biggest security story this week isn’t a hacker breaking in. It’s the people who run the websites rebuilding them to watch the visitors — on the very sites you can’t avoid using.

What happened to the federal websites

A White House office called the National Design Studio quietly rebuilt some of the US government’s most sensitive websites — the ones for passport applications, voter registration, prescription-drug pricing and children’s savings accounts [1]. The office was created by executive order last August and is staffed largely by veterans of the “department of government efficiency,” or Doge [1].

A Guardian investigation found that on at least two of these sites, the studio installed a commercial visitor-tracking tool called PostHog, set up to closely follow what every visitor does [1]. A separate, apparently in-house tool sent user data to a destination not visible on the public internet [1].

Two things make this more than a privacy footnote. First, the tracking was reportedly configured to evade the privacy tools many people install in their browsers — so the usual defences wouldn’t see it [1]. Second, none of the four sites carried the public filings that federal privacy law has required since 1974, the documents that are supposed to tell the public what data is collected and why [1].

The studio appears to have removed the tracking software after the Guardian sent the White House detailed questions [1]. A White House spokesperson said all studio staff “comply with all legal requirements” [1].

Why this is a security story, not just a politics one

Security isn’t only about keeping attackers out. It’s about who can see what you do, and whether they’re allowed to. A “data breach” is when someone takes data they shouldn’t have. This is the quieter cousin: the data is collected by the people who built the door you walked through, on terms you never saw.

The mechanism matters. Visitor-tracking software records the path a person takes through a site — what they click, what they type, how long they linger [1]. On a passport or voter-registration site, that path is sensitive by itself. Routing it to a destination “not visible on the public internet” means even researchers can’t check where it ends up [1].

And here’s the part with no easy fix for you: you don’t choose this channel. If you need a passport, you go to the passport site. If you want to register to vote, you go to the registration site. The Cybersecurity and Infrastructure Security Agency — the US government’s own cyber-defence agency, known as CISA — lists the executive office of the president as the owner of these domains [1]. There’s no alternate door.

When there’s no alternate door, your caution doesn’t protect you — only the rules binding the people who built the door do. That’s why the missing privacy filings, not the tracking code itself, are the real story. The filings are the accountability. Skip them and the protection is gone whether or not a single record ever leaks.

A scam that targets your worst moment with crypto

A separate, smaller story shows the same shape from the criminal side. Researchers at HP’s security lab found fake “cryptocurrency recovery” websites that are really delivering malware [16].

Here’s how it works. If you hold cryptocurrency, your wallet is protected by a long secret called a “seed phrase” — 12 to 24 words that are the only way back into your money if you lose access [16]. Forget it, and the panic is real: thousands of pounds, gone. So people search “free cryptocurrency recovery tool” — and one of the top results is a fake program built by criminals [16].

Once installed, the software harvests passwords from your browser, plus documents and photos, packages them up and ships them to the criminals [16]. “They’re preying on emotions,” HP’s Alex Holland said. “They want to take advantage of that moment of vulnerability” [16].

The lesson is the same as the government one, flipped: when you’re desperate and there’s only one obvious door, you stop checking who built it. If you ever lose wallet access, slow down — that pause is exactly what the scam is built to skip [16].

One to watch: AI is getting good at finding flaws

A quieter thread for the months ahead. A Chinese company, Zhipu AI, released an open-weight model called GLM-5.2 that some researchers say now matches top US models at finding software bugs and security flaws [7]. “Open-weight” means anyone can download and run it on ordinary hardware [7].

That cuts both ways. The same skill that lets defenders find and fix flaws before attackers do also lets attackers find them first. A tool that’s free to download has no gatekeeper deciding who uses it for which purpose [7]. Nothing has broken here yet — but it’s worth knowing the capability is now widely available, not locked behind a few labs.

02 · Lesson · why it matters

When you can't choose the door, your caution doesn't protect you

The advice "be careful online" assumes you have a choice of where to go. On the roads you're forced to walk, the only thing protecting you is the rule binding whoever built the road.

The strange thing about the government website story

A hacker breaking into a system is a fight you can imagine: someone outside trying to get in, someone inside trying to keep them out. The federal website story isn’t that. Nobody broke in. The people who built the door fitted it with a way to watch everyone who walks through.

And the people walking through can’t walk somewhere else. If you need a passport, there is one passport site. If you want to register to vote, there is one registration site. You don’t shop around. You don’t read reviews. You go where the institution put the door, because there is no other door.

Most security advice quietly assumes you have an exit

“Use a strong password.” “Check the sender.” “Don’t click suspicious links.” “Read the privacy policy.” Every piece of this advice rests on one hidden assumption: that you can choose to go elsewhere if something looks wrong.

That assumption holds for a lot of life. You can pick a different shop, a different email, a different app. Your caution works because it can steer you toward a safer choice.

But some doors have no alternate. Government services. Your employer’s systems. The single utility company for your area. The bank that holds your mortgage. In these places, careful and careless people end up in exactly the same spot, because there’s only one spot to end up. Vigilance needs somewhere else to go, and here there’s nowhere.

So what actually protects you

If your own caution can’t help — because you can’t leave — then the only thing left is whatever binds the person who built the door. A rule. A required disclosure. An audit someone else performs. A law that says: tell the public what you collect, file it where they can read it, submit to an inspector who can check.

That’s why the real failure in the government story isn’t the tracking code. It’s the missing filings. The law has required, since 1974, that federal sites publicly declare what data they gather and why. Those filings are the accountability — the substitute for the choice you don’t have. Skip them, and the protection is gone, whether or not a single record ever leaks. The tracking was the symptom. The unaccountability was the wound.

The same shape, seen from the criminal side

The crypto-recovery scam is this pattern inverted. A person who’s lost access to their wallet has, in their own head, no other door — the money is locked, the panic is loud, and “free recovery tool” feels like the only road out. The scammer doesn’t beat their judgment. The scammer arrives at the one moment the victim has stopped looking for an exit, because they believe there isn’t one.

In both stories, the danger isn’t carelessness. It’s the absence of choice — manufactured by a criminal, or simply built into how a service works. Take away someone’s exit and you take away the protection their caution was supposed to provide.

Why this reaches further than four websites

It’s easy to read this as a story about one office and four sites. It isn’t. Every one of us moves through dozens of doors we didn’t choose and can’t avoid — the tax system, the health system, the one payment network the shop accepts, the platform our job runs on. We are all standing in those single-door rooms, all day, mostly without noticing.

That’s the uncomfortable part. The protection we’re relying on isn’t our own. It’s a web of rules and disclosures and audits, built by people we’ll never meet, watching channels we can’t watch ourselves. When that web holds, we never feel it — which is exactly why it’s so easy to quietly cut.

And no one seat can check the whole of it. Not the visitor, who can’t see the code. Not the researcher, when the data goes somewhere invisible. Not even the office that built the door — temporary, outside the inspector’s reach, accountable to no one watching. The whole point of the accountability rules is that trust can’t be verified by the person doing the trusting. We are inside the system, depending on guardrails we can’t personally inspect — including the guardrails on the ones we’ve handed the keys.

03 · Lab · your turn

The Single-Door Rooms

Rehearse choosing a protection in services you can't avoid, and feel that your caution only works where you have an exit.

04 · Hope · carry this

The tracking came off the moment the questions arrived — which is the quiet proof that the watchers we never see are still watching, and that a fifty-year-old rule and a few persistent researchers can still pull a door back open.

More from Cybersecurity

One toolkit, 200,000 scam sites — fraud is now built like software Two dozen companies were breached through a vendor they'd plugged into years ago A flaw hid in software on billions of machines for 25 years — until an AI went looking

Across the beats

Fortnite starts reselling the skins it once swore would never come back A French dairy giant sues to kill a food label — because the scorecard now counts against it Why spreading your money across many bets is the one thing in investing close to a free lunch