Is DuckDuckGo Actually Private? We Looked at the Policy (and Kagi, Brave, and Google)

Your search engine sees everything. Every symptom you look up before you tell your doctor. Every financial worry you can't discuss at home. Every question you're too embarrassed to ask anyone. The search box is uniquely revealing — and most people have never thought carefully about who reads it.

We've graded Google, DuckDuckGo (grade: B+, 84/100), Brave (grade: B+), and Kagi (grade: A, 88/100). The range goes from the most comprehensive surveillance operation in consumer software history to a product that's architecturally incapable of building a search profile.

Google: the profile as the product

Google's search business and its advertising business are inseparable. When you search on Google, that query is associated with your account (if signed in), your device (if not), and a profile that Google has been building for years across search, YouTube, Gmail, Maps, Chrome, and every website that uses Google Analytics.

Google knows not just what you searched for today, but the history of your searches going back years. It uses those searches to infer your health concerns, your political views, your purchasing intentions, and your life events — and it uses those inferences to target you with advertising across the web.

You can use Google without an account, but you cannot use Google without contributing to a device-level profile. The grade reflects a business model in which your attention and your data are the product being sold to advertisers.

DuckDuckGo: genuinely private search, with caveats

DuckDuckGo's core claim is straightforward and well-supported: it does not log your IP address alongside your searches, it does not build a search history, and it does not tie your queries to any identifier. The policy states explicitly: "We don't save your IP address or any unique identifiers alongside your searches or visits to our websites."

For local search results, DuckDuckGo sends a randomised approximate location to content providers — not your actual location, and not logged. Cookies store only anonymous search settings (region, theme). This is the correct architecture for a private search engine.

The caveat most users don't know about: DuckDuckGo uses Microsoft's advertising network for some search ads. When you click an ad, that click goes through Microsoft's infrastructure. DuckDuckGo has negotiated restrictions on Microsoft's use of that data, but you are interacting with Microsoft's network when you click a paid result. The organic search results are independent of this.

DuckDuckGo is also a US company (Pennsylvania), subject to US law. Its strong data minimisation substantially reduces the practical risk from US jurisdiction — you cannot compel records that don't exist — but the structural exposure remains for users with elevated threat models.

Brave: private by architecture, not just by policy

Brave's privacy pitch is that the browser itself blocks tracking — so the search engine doesn't need to handle the tracking-avoidance problem because the browser already has. In practice this means Brave blocks third-party trackers, fingerprinting scripts, and advertising pixels at the network level, before any data leaves your device.

For analytics, Brave uses STAR (Secure Threshold Aggregation Reports) and Nebula — cryptographic protocols that provide mathematical guarantees that individual behaviour cannot be recovered from aggregate data. This isn't "we promise not to look" — it's a technical property of the system. For Leo AI subscriptions, unlinkable tokens mean Brave cannot connect purchase records to usage.

The code is open source, which means the privacy claims are independently verifiable rather than trust-dependent. Brave's browser is the most technically rigorous privacy implementation in this category.

The structural limitation is US jurisdiction (San Francisco) and the business model question. Brave operates its own advertising system (Brave Ads) that rewards users for opting in to privacy-preserving ads. The opt-in model is genuinely different from Google's opt-out default — but Brave does have a financial stake in the advertising ecosystem, which creates different incentives from DuckDuckGo or Kagi.

Kagi: the strongest privacy guarantees, at a cost

Kagi is a paid search engine (from ~$5/month) with a privacy posture that is qualitatively different from the others. The business model is the foundation: Kagi's revenue comes entirely from subscriptions, with no advertising business. The company explicitly frames user data as a liability it wants to minimise.

Kagi does not log which search results you click. It does not build a search history. Server logs are purged on strict schedules. AI conversation threads (the Kagi Assistant feature) are automatically deleted after 24 hours. The policy is archived with a public changelog so you can track exactly what has changed since 2021.

For users who want near-complete anonymity, Kagi documents explicit pathways: creating an account with a pseudonymous email, paying with cryptocurrency (via OpenNode), accessing the service over Tor, and authenticating with Privacy Pass tokens. No other search engine in this tier offers this combination.

Kagi also publishes a warrant canary — a public statement updated regularly to confirm Kagi has received no gag orders, secret court orders, or national security letters. DuckDuckGo, Brave, and Google do not publish equivalent canaries.

The trade-off is cost and the fact that a subscription requires an account. For users who consider free search engines "free because you're the product," Kagi's subscription model is the intended alternative. For users who want anonymous search without a paid account, DuckDuckGo is the better fit.

Side by side

	Kagi	DuckDuckGo	Brave	Google
Search history logged	✗ No	✗ No	✗ No	✓ Yes (by default)
IP address logged	✗ No	✗ No (never to disk)	✗ No	✓ Yes
Ad network involvement	✗ None	Microsoft (ad clicks only)	Brave Ads (opt-in)	Core business
Anonymous payment	✓ Cryptocurrency	N/A (free)	N/A (free)	N/A (free)
Tor access	✓ Documented	✓ .onion available	✓ Built into browser	✗
Warrant canary	✓ Yes	✗ No	✗ No	✗ No
Open source	Partially	✗ No	✓ Yes	✗ No
Cost	From ~$5/month	Free	Free	Free
Privacy grade	A (88/100)	B+ (84/100)	B+	F

Which one?

For most people switching away from Google: DuckDuckGo is the right starting point. It's free, the privacy is genuine, and the search quality is good enough for the vast majority of queries. The Microsoft ad-click caveat is real but narrow — it only applies when you click paid results, not organic ones.

For users who want the strongest technical privacy guarantees and are willing to pay: Kagi. The subscription model removes the ad network entirely, the anonymity pathways are unmatched, and the warrant canary adds a layer of accountability no free search engine offers.

For users who want privacy at the browser level as well as the search level: Brave handles both. The cryptographic analytics and open source code provide a level of verifiable privacy that policy promises alone can't match.

See the full analyses and comparisons: DuckDuckGo · Kagi · Brave · Google. Compare them: DuckDuckGo vs Kagi · DuckDuckGo vs Google · Brave vs Google.