Draft:BrowserGate

Chromium-based browsers like Google Chrome allow extensions to bundle files that any webpage can try to load. If a page requests a file from a known extension ID and gets a response, it knows the extension is there. This has been a known fingerprinting vector for years. In a 2020 paper at the NDSS Symposium, researchers from the University of Illinois Chicago showed they could fingerprint 29,428 Chrome extensions this way, and that knowing just four of a person's extensions was enough to uniquely identify them 94.47% of the time. The same paper found that hundreds of extensions could reveal religion, health conditions, or political views.^[7]

LinkedIn's data practices had already drawn regulatory action before BrowserGate. In October 2024, the Irish Data Protection Commission fined the company €310 million for using personal data for targeted advertising without valid consent under the General Data Protection Regulation.^[2][8] Separately, in September 2023, the European Commission designated Microsoft as a gatekeeper under the Digital Markets Act, with LinkedIn as one of its regulated platforms. That designation obliges LinkedIn to give third-party tools access to the platform and not to disadvantage businesses that use competing products.^[6]

LinkedIn's extension scanning was not found all at once. Dan Andrews, a developer, first noticed it in 2017. He published a GitHub repository showing that LinkedIn's JavaScript was probing for 38 specific extensions, mostly recruitment tools like Daxtra Magnet.^[9][10]

In 2024, Josef Kadlec, a Czech recruiter and sourcing trainer, went through LinkedIn's source code again and counted 461 extensions. He also noted that LinkedIn had started using DOM inspection to catch extensions that modify the page, not just the file-probing method Andrews had found.^[11] By February 2026, when software developer Mark Percival extracted the list, it had reached roughly 3,000.^[12] The Fairlinked investigation, published the following month, put the number at 6,236.^[1][6]

BleepingComputer confirmed that LinkedIn loads a JavaScript file (with a randomised filename) on every page visit. The script checks for 6,236 extensions by trying to fetch a known file from each one using the chrome-extension:// URL scheme. If the file loads, the extension is present. The whole process runs silently.^[1][3]

The Fairlinked report describes two additional systems on top of that. One, which LinkedIn's own code calls "Spectroscopy," walks the page's DOM looking for anything injected by an extension, even extensions not on the hardcoded list. The other collects 48 device attributes: CPU cores, memory, screen size, time zone, language, battery level, and others. All of it is encrypted with an RSA key and sent to LinkedIn's servers.^[2][6][13]

Only Chromium-based browsers are affected. Firefox and Safari use different extension architectures and are not vulnerable to the same probing technique.^[1][2]

The extension list is not limited to scraping tools. According to the Fairlinked report, it includes over 200 products that compete with LinkedIn's own sales features (such as Apollo.io, Lusha, and ZoomInfo), 509 job search extensions, and tools related to religious observance, political filtering, and neurodivergent support.^[1][3][6] Because LinkedIn accounts are tied to real names and employers, a detected extension can be linked to a specific person at a specific company. The combined install base of all scanned extensions is around 405 million.^[1][6]

Some of these categories are legally sensitive. Under Article 9 of the GDPR, data that reveals religious beliefs, political opinions, or health conditions is "special category" data, and processing it requires explicit consent.^[2]

A recurring theme in the press coverage has been the timing. The European Commission designated LinkedIn as a DMA gatekeeper in September 2023, requiring it to open up to third-party tools. The Fairlinked report and several news outlets pointed out that, according to their data, LinkedIn's scan list grew from about 461 extensions in 2024 to over 6,000 by February 2026, and that many of the added extensions are the exact tools the DMA is supposed to protect.^{[2][6][13][14]}

There is also a question about how LinkedIn handled its compliance obligations. The Fairlinked report says LinkedIn published two restricted APIs that together handle about 0.07 requests per second, while its internal Voyager API, which runs the actual LinkedIn website and apps, processes around 163,000 per second. Microsoft's 249-page DMA compliance report to the Commission uses the word "API" 533 times but never mentions Voyager.^[2][6][13]

Fairlinked filed formal complaints with the European Commission (DMA.100150 and DMA.100143).^[6] LinkedIn has not responded to the DMA-specific allegations.^[1]

LinkedIn told BleepingComputer it scans for "extensions that scrape data without members' consent or otherwise violate LinkedIn's Terms of Service." It said it does not use the data to infer sensitive information.^[1] The company also said the person behind the BrowserGate report had been restricted from the platform for scraping and had lost a court case in Germany.^[1][3]

After the US lawsuits were filed, LinkedIn gave a stronger statement to PCMag, calling the claims "a house of cards built entirely upon a fabrication" and saying it does disclose extension scanning in its privacy policy.^[5] Fairlinked responded that the German case LinkedIn cited was about an account suspension, not about the scanning, and that it is under appeal.^[5]

Two class-action complaints were filed on 7 April 2026 in federal court in San Jose. Ganan v. LinkedIn Corporation (Case 5:26-cv-02968) alleges violations of the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act, among other claims.^[4] A second case, brought on behalf of Nicholas Farrell, makes similar arguments and relies partly on the BrowserGate report.^[5][15] The attorney in the Ganan case told Ars Technica that LinkedIn's public response "does not meaningfully deny the core conduct alleged in the complaint."^[15]

In Europe, Fairlinked filed complaints with the European Commission under the DMA. A related preliminary injunction at the Regional Court of Munich I (case 37 O 104/26) was denied in March 2026 but is on appeal.^[2][5] German legal commentators have also raised the question of whether the scanning could fall under Section 202a of the Strafgesetzbuch (unauthorised data access), which carries up to three years in prison.^[6][13]

BleepingComputer published its verification on 3 April 2026.^[1] The story was then picked up by Tom's Hardware,^[3] The Next Web,^[2] TechRadar,^[16] Cybernews,^[17] SC Media,^[18] Ars Technica,^[15] and others. On Hacker News, the story drew a long thread; LinkedIn's initial public comment came from an account called "LinkedinHelp."^[6][13]

• Browser fingerprinting
• Digital Markets Act
• General Data Protection Regulation
• LinkedIn

• BrowserGate investigation (Fairlinked e.V.)
• dandrews/nefarious-linkedin (Dan Andrews, 2017)
• mdp/linkedin-extension-fingerprinting (Mark Percival, 2026)

Category:2026 in computing Category:Internet privacy Category:LinkedIn Category:Microsoft controversies Category:Computer law Category:European Union law