Back to The Agentic Web
Published February 2026 11 min read

Agent Privacy — Discovery Without Exposure

In agent-to-agent interactions, the search itself is the sensitive data. Who you look for, when you look, and what capabilities you need — these reveal strategy, intent, and vulnerability. NANDA treats discovery privacy as a first-class architectural requirement, not an afterthought.

Series: The Agentic Web Part 4 of 6

The Metadata Problem

Intelligence agencies have a saying: the metadata is the message. The same principle applies to agent discovery. When a pharmaceutical company's research agent queries a registry for genomics specialists with HIPAA-compliant data handling, the query itself reveals what the company is working on, what capabilities it lacks, and where its research is headed.

Neither A2A nor MCP provide any privacy layer for discovery. A2A Agent Cards sit at public /.well-known/agent.json URLs — anyone monitoring network traffic sees who accesses which agent's metadata. MCP relies on direct server connections with no anonymisation. Even DNS-over-HTTPS, which encrypts query content, still exposes access patterns through traffic analysis.

The Beyond DNS paper identified privacy-preserving resolution as a foundational requirement for the agentic web — not a feature, but a design constraint that shapes every layer of the architecture.

Dual-Path Resolution

NANDA's answer is dual-path resolution: every agent in the Index exposes two routes to its AgentFacts metadata, and the requester chooses which to use.

PrimaryFactsURL — Direct Path

The requester fetches metadata directly from the agent's own infrastructure. Fast, complete, and fresh — but the agent's operator can observe who's looking and when.

Best for: routine capability lookups, public service discovery, non-sensitive workflows.

PrivateFactsURL — Anonymous Path

The requester retrieves metadata from a neutral third-party host — IPFS, decentralised storage, or a privacy-preserving relay. The agent never learns who queried it.

Best for: competitive intelligence, pre-negotiation scouting, regulatory investigations, healthcare and financial workflows.

The choice between paths is made by the requester's policy engine — not hardcoded. An enterprise can enforce that all healthcare-related discovery uses the private path, while internal tooling uses the direct path for speed. This per-query privacy control has no equivalent in DNS, A2A, or MCP.

Interactive · Dual-Path Resolution

Select a resolution path · The requester's policy engine chooses per-query

The Lean Index: Privacy by Architecture

Dual-path resolution protects the metadata retrieval step. But what about the index lookup itself? Here, NANDA's lean index design provides structural privacy guarantees.

Each record in the NANDA Index is capped at ≤120 bytes — just an agent ID, metadata URL pointers, TTL values, and a cryptographic signature. No capabilities, no skills, no performance metrics, no provider details. This means:

  • Index queries reveal minimal intent. Looking up an agent ID doesn't tell an observer why you're looking or what capabilities you need.
  • Index operators can't profile users. Even a compromised or adversarial index node sees only opaque lookups, not semantically rich queries.
  • Write operations are 10,000× lighter. By keeping rich metadata in AgentFacts (hosted externally), the index avoids becoming a honeypot of sensitive agent information.

This separation — lean index for where, AgentFacts for what — is a deliberate privacy architecture. It applies the principle of data minimisation from GDPR Article 5 at the protocol level: the index stores no more than is necessary for its routing function.

Privacy Under Threat

Privacy-preserving discovery matters most in adversarial environments. Consider four scenarios where discovery patterns are high-value intelligence:

  1. Healthcare. A hospital agent searching for oncology specialists reveals patient conditions. Under HIPAA and GDPR, even the search process must protect patient data.
  2. Financial services. A trading firm's agent querying for market analysis agents reveals investment strategy. Competitors monitoring discovery could front-run trades.
  3. Legal. A law firm searching for expert-witness agents reveals case strategy. Attorney-client privilege must extend to discovery patterns.
  4. National security. Government agents searching for intelligence capabilities reveal operational priorities. The discovery metadata itself is classified.
A protocol that encrypts messages but exposes discovery queries provides a false sense of privacy. In agent-to-agent interactions, discovery patterns are often more revealing than the communications themselves. NANDA treats both with equal architectural seriousness.

Beyond Discovery: Privacy-Aware Collaboration

Dual-path resolution is the foundation, but NANDA's privacy architecture extends into Project NANDA's Phase 3 vision: privacy-aware collaboration where groups of agents learn together without exposing sensitive data. Techniques like federated learning, split inference, and differential privacy require the kind of private discovery channels that the dual-path architecture provides.

The lean index, PrivateFactsURL, and policy-driven path selection together create a privacy stack that aligns with the EU AI Act's transparency requirements and GDPR's data minimisation principles — not through legal compliance bolted on after the fact, but through privacy by design embedded in the protocol itself.

In Part 5, we turn from privacy to security — examining how Zero Trust Agentic Access (ZTAA) and Agent Visibility and Control (AVC) protect enterprise agent deployments from the threats that autonomous agents uniquely create.

Continue Reading

Part 5: The Security Blueprint →

ZTAA and enterprise-grade security for autonomous agents.

Privacy-Preserving Discovery

Technical deep dive into dual-path resolution mechanics.

Coming Soon

By Invitation Only