Privacy-Preserving Agent Discovery

The Discovery Privacy Problem

Every time an agent searches for another agent, that search reveals intent. When a pharmaceutical company's research agent queries a registry for genomics specialists, the query itself leaks strategic information — what the company is working on, what capabilities it lacks, and where its research is heading.

This isn't a theoretical concern. DNS queries have long been recognized as a privacy vulnerability — they're transmitted in cleartext and observable by network intermediaries. But for AI agents, the problem is orders of magnitude worse. Agent discovery queries are rich, semantically meaningful requests: "Find me an agent that can analyze BRCA2 gene variants, supports HIPAA-compliant data handling, and has a p95 latency under 100ms." That query is a business strategy document.

Neither A2A nor MCP provide any privacy layer for discovery. A2A's Agent Cards sit at public /.well-known/agent.json URLs — anyone watching network traffic can see who's accessing which agent's metadata. NANDA's Beyond DNS paper identified this as a fundamental architectural requirement and designed a solution: dual-path resolution.

How Dual-Path Resolution Works

Every agent registered in the NANDA Index can expose two resolution paths:

The requesting agent (or its orchestrator) chooses which path to use based on the sensitivity of the interaction. Routine capability lookups can use the direct path for speed. Sensitive searches — competitive analysis, pre-negotiation scouting, regulatory investigations — use the private path.

Why This Matters for Enterprises

Privacy-preserving discovery isn't just a nice-to-have — it's a deployment blocker for many enterprise use cases:

• Healthcare — A hospital's diagnostic agent searching for specialist agents reveals patient conditions and treatment gaps. HIPAA and GDPR require that even the search process protects patient data.
• Financial services — A trading firm's agent querying for market analysis agents reveals investment strategy. Competitors monitoring discovery patterns could front-run trades.
• Legal — A law firm's agent searching for expert witness agents reveals case strategy. Attorney-client privilege extends to discovery patterns.
• National security — Government agents searching for intelligence capabilities reveal operational priorities. Discovery itself is classified information.

Technical Architecture

The dual-path system is embedded in the NANDA resolution flow:

1. Index lookup — The requesting agent queries the NANDA Index for agents matching specific capabilities. The index returns AgentAddr records (~120 bytes) containing both URL paths.
2. Path selection — The requester's policy engine selects the appropriate path based on data classification, regulatory requirements, or organizational policy.
3. Metadata retrieval — Via the chosen path, the requester fetches the full AgentFacts document, verifies its cryptographic signature, and evaluates trust.
4. Connection establishment — If trust criteria are met, the agents establish a direct communication channel via A2A, MCP, or HTTPS.

Critically, the index lookup itself can be anonymized. The NANDA adaptive resolver supports query routing through privacy relays, ensuring that even the pattern of index queries doesn't reveal the requester's identity or intent.

Beyond Discovery: Privacy-Aware Collaboration

Dual-path resolution is the foundation, but NANDA's privacy architecture extends further. Project NANDA's Phase 3 envisions privacy-aware collaboration where groups of agents can learn together without exposing sensitive data — using techniques like federated learning, split inference, and differential privacy.

The dual-path architecture established in Phase 1 provides the infrastructure these advanced capabilities require: the ability to participate in collaborative networks without revealing organizational identity or operational patterns.