Back
Technology

Report Alleges LinkedIn Scans Browser Extensions and Collects Device Data; LinkedIn Cites Platform Protection

Generated on: Last updated: 2 sources
View source

LinkedIn Accused of Extensive Browser Extension Scanning and Data Collection in "BrowserGate" Report

A new report, "BrowserGate," from Fairlinked e.V. alleges LinkedIn scans visitors' browsers for over 6,000 extensions and collects device data. Independent verification confirmed these claims, while LinkedIn states the practice protects its platform from scraping and terms of service violations, noting the report's author was banned for similar activities.

A report titled "BrowserGate," published by the European advocacy group Fairlinked e.V., alleges that LinkedIn employs JavaScript scripts to scan visitors' browsers for installed extensions and collect device data. Independent verification by BleepingComputer confirmed aspects of these claims, observing a script detecting over 6,000 browser extensions and gathering system information. LinkedIn acknowledges detecting specific browser extensions, stating the practice is for platform protection, user privacy, and site stability, particularly to prevent data scraping and terms of service violations. The company also states the report's author was banned for scraping and previously had legal claims against LinkedIn dismissed by a German court.

Allegations from the "BrowserGate" Report

Fairlinked e.V., an association of commercial LinkedIn users, asserts that LinkedIn injects JavaScript into user sessions to detect thousands of browser extensions and link the findings to identifiable user profiles. The group claims this practice is used to gather personal and corporate information.

The report specifically alleges that LinkedIn scans for over 200 products that compete with its sales tools, such as Apollo, Lusha, and ZoomInfo, suggesting this could enable LinkedIn to identify competitor product usage by company and potentially extract customer lists. Fairlinked e.V. further alleges that LinkedIn utilizes this scanning capability for competitive enforcement, including sending legal threats to users of third-party tools based on the data obtained.

Scanning Mechanism and Scope

Independent verification by BleepingComputer observed a JavaScript file loaded by LinkedIn that checked for 6,236 browser extensions. This method involves attempting to access file resources associated with specific extension IDs. The script was found to detect extensions both related and unrelated to LinkedIn, including language tools, grammar checkers, and software for tax professionals.

Previous reports indicated a smaller scope of detection, with lists growing from approximately 461 products in 2024 to over 6,000 by February 2026. Independent research suggests the practice dates back to at least 2017, when 38 extensions were scanned.

The scanning mechanism reportedly executes rapidly and is not directly visible to the user. It is primarily triggered on Chromium-based browsers, including Chrome, Edge, Brave, Opera, and Arc, through an isUserAgentChrome() function check. Firefox and Safari users are reportedly not affected.

Data Collected and Categorization

Beyond browser extensions, the script also collects various browser and device data, such as CPU core count, available memory, screen resolution, timezone, language settings, battery status, and audio information. BleepingComputer noted that similar fingerprinting techniques have been used for cross-site user tracking but could not verify the specific use or sharing of this data as claimed by Fairlinked e.V.

Fairlinked e.V. researchers identified categories among the detected extensions that they describe as "high-risk," given that LinkedIn accounts are linked to real identities, employers, and job roles. These categories include:

  • Job search tools: Over 500 extensions for platforms like Indeed and Glassdoor.
  • Religious belief indicators: Extensions identifying specific faith communities.
  • Political orientation markers: News source selectors and partisan fact-checking tools.
  • Disability and neurodivergent tools: Apps for ADHD management, autism support, and screen readers.
  • Competitor products: Over 200 extensions for rival sales intelligence platforms.

Fairlinked e.V. alleges that under the EU’s General Data Protection Regulation (GDPR), data revealing religious beliefs, political opinions, and health conditions is classified as Special Category Data, requiring explicit consent for processing. The group asserts LinkedIn lacks this consent, disclosure, or a legal basis for collecting such data.

Fairlinked e.V. estimates the combined user base of the scanned extensions at 405 million people and has informed regulators across the EU, organizing legal proceedings. The report also alleges that the surveillance extends beyond LinkedIn’s direct servers, identifying an invisible tracking element from HUMAN Security and a third script from Google executing on page loads, which reportedly set cookies and build device profiles.

LinkedIn's Response

LinkedIn confirmed that it detects specific browser extensions, stating this information is used to protect the platform and its users. The company specified that it identifies extensions that scrape data without members' consent or otherwise violate LinkedIn's Terms of Service. This practice helps inform technical defenses and understand unusual data fetching patterns that could impact site stability.

LinkedIn denies using the data to infer sensitive information about members and states that the detection is visible within the Chrome developer console.

The company stated that the "BrowserGate" report originates from an individual whose account was banned for scraping LinkedIn content and violating its terms of use. LinkedIn added that this individual attempted legal action in Germany following their account restriction, alleging LinkedIn violated various laws. LinkedIn asserts that a German court ruled against the individual, finding their claims without merit and noting that the individual's own data practices potentially violated the law. LinkedIn characterized the "BrowserGate" report as an attempt to publicly re-litigate a dispute that was resolved in court.

Broader Industry Context

The practice of websites employing fingerprinting scripts to detect browser extensions and collect system data is not an isolated incident. In 2021, eBay was found to use JavaScript to perform automated port scans on visitors' devices, believed to be for fraud prevention. Subsequently, other companies, including Citibank and Equifax, were also found to use similar fingerprinting scripts.

User Guidance

Users concerned about browser extension scanning have several options:

  • Use Firefox or Safari for LinkedIn access, as the reported detection method relies on Chrome's extension architecture.
  • Create a LinkedIn-specific Chrome profile with no extensions installed.
  • Use Brave browser with fingerprinting protection enabled.
  • Audit installed extensions using Fairlinked e.V.'s public database to check for tracked tools.