Google processes billions of queries per day. Each query, timestamped and linked to your account or persistent cookie, teaches Google something about what you're worried about, what you're buying, what you believe, who you're researching. The business model depends on this data — not in a speculative way, but as the core mechanism by which advertising is targeted and priced.
Private search engines make different bets. Some promise not to log queries. Some build separate indexes. Some run on subscription revenue that eliminates the ad-targeting incentive entirely. The promises vary in credibility, and the trade-offs in search quality are real. This post works through the honest version of each option.
What "Private Search" Actually Means
There are two distinct things a search engine can protect: what you searched for, and who searched for it. Most "private" search engines address only the first.
"No search logs" means your individual queries aren't stored with your identity. "No profiling" means the engine doesn't build a behavioral model across sessions, even anonymously. These are different claims. A search engine can avoid logging individual queries while still building statistical models on aggregate query data that it sells to advertisers.
Additional considerations: where the company is incorporated (jurisdiction for legal compulsion), whether they use a third-party index (and what data that index provider sees), and whether their privacy claims are audited or self-attested. Most private search engines are the latter.
Also: search privacy is transport-layer privacy. It says nothing about browser fingerprinting (the engine can identify your browser type without an account), IP address logging, or whether your ISP is watching your DNS queries. Search privacy requires a broader context: a private DNS resolver, a VPN or Tor for IP masking, and a browser configured to minimize fingerprinting surface.
DuckDuckGo: The Mainstream Option
DuckDuckGo is the most widely used private search engine, with a US market share that's grown steadily since its 2008 founding. Its primary claims: no search logs, no tracking cookies, no user profiling. It shows ads based on the search query itself, not on a historical profile of the searcher.
DuckDuckGo's index is primarily sourced from Bing (Microsoft), with additional results from its own web crawler (DuckDuckBot) and other partners. This means Microsoft's infrastructure processes some queries. DuckDuckGo's privacy policy states they do not pass personally identifiable information to Bing, but the architecture means Microsoft knows a search engine is querying them — the volume and content patterns are observable.
Honest assessment: DuckDuckGo's privacy claims are credible for typical use cases. The Bing dependency is a real consideration if your threat model includes Microsoft. The company is US-incorporated, so it's subject to US court orders including National Security Letters. Search quality has improved and is adequate for most queries, though technical and niche searches often lag Google.
Brave Search: Building an Independent Index
Brave Search launched in 2021 with the stated goal of building a fully independent search index — not relying on Bing or Google for results. By 2024 they reported that the majority of their results come from their own index rather than third-party sources, though they still use Bing as a fallback for queries their index can't satisfy well.
The independence matters: a search engine that proxies Bing is architecturally different from one with its own crawl. Brave's approach reduces the number of parties that see query data. They offer optional "anonymous usage metrics" and a toggle for independent index vs. Bing fallback.
Honest assessment: Brave Search is one of the more credible privacy options for users who want both reasonable search quality and reduced third-party exposure. Brave is incorporated in the US (San Francisco), so the same jurisdiction caveats apply. The browser and search products are separate; you don't need to use the Brave browser to use Brave Search.
Kagi: Paying for Search Without Ads
Kagi is a paid search engine, launched in 2023, built on the premise that the ad-supported model is fundamentally incompatible with user interests. When a user is the paying customer, the incentive alignment is different: the product improves by being useful, not by maximizing engagement or harvesting data.
Kagi uses a combination of its own indexes (including its Teclis web index and Kagi News) and third-party sources. Users can customize rankings — boosting or demoting specific domains — and the personalization is stored locally or server-side under the user's account, not used for ad targeting.
| Feature | DuckDuckGo | Brave Search | Kagi | SearXNG |
|---|---|---|---|---|
| No query logs | ✓ Claimed | ✓ Claimed | ✓ Claimed | ✓ Depends on instance |
| Own index | ✗ Bing-primary | ~ Mostly own | ~ Mixed | ✗ Meta-search |
| Ad model | Query-based ads | Query-based ads | No ads (paid) | No ads |
| Jurisdiction | US | US | US | Varies (self-hosted) |
| Cost | Free | Free | ~$10/mo | Free (self-host) |
| Open source | ✗ | ✗ | ✗ | ✓ |
Honest assessment: Kagi is the most interesting option for users who value search quality and are willing to pay for it. The subscription model genuinely changes the incentive structure. The trade-off is cost, and the privacy claims are self-attested — there's no third-party audit of their data handling. US-incorporated, same jurisdiction risk.
SearXNG: The Self-Hosted Meta-Search Option
SearXNG is an open-source meta-search engine — it queries multiple search engines simultaneously (Google, Bing, DuckDuckGo, and others depending on configuration), aggregates results, and returns them without associating the query with the user's identity. No account, no logs, no persistent cookies.
When you self-host SearXNG, the trust boundary is entirely within your control: you run the server, you set the query sources, and no third party sees anything except that "some server" is making API calls to their index. The queries go out from your server's IP, not your personal IP.
Public SearXNG instances exist (searx.space maintains a list), but using a public instance shifts trust from Google to the instance operator — who can log your queries, see your IP, and is typically an unknown party. Self-hosting is the privacy-maximizing choice; using a public instance is a step up from Google but not a strong privacy guarantee.
Honest assessment: SearXNG self-hosted is the strongest option for privacy-maximizing technical users. It requires running and maintaining a server, and results quality is bounded by the upstream sources configured. The open-source codebase is auditable. For most users, the operational overhead exceeds the marginal privacy benefit over Brave Search or Kagi.
The Honest Limitations of All of These
A private search engine is one node in a larger system. Switching from Google to DuckDuckGo while using Chrome, logged into a Google account, on a network where your ISP sees all DNS queries, provides less privacy than the name implies. The search query itself is private; the surrounding context is not.
Complementary steps that actually matter:
- Encrypted DNS — use DNS-over-HTTPS or DNS-over-TLS so your ISP can't see the domains you query
- A browser that doesn't phone home — Firefox with strict tracking protection, or Brave, rather than Chrome
- A clean browser profile for sensitive searches — separate from your logged-in everyday browser
- Tor Browser for high-sensitivity queries — routes through the Tor network so the search engine sees a Tor exit node, not your IP
Search privacy is worth pursuing, but it's more useful to think of it as part of a stack than as a standalone fix. A well-configured private search engine, combined with hardened browser settings and encrypted DNS, meaningfully reduces the profiling surface. Either alone is partial. See our post on building a full privacy stack for a broader view.