LinkedIn Found Scanning Users' Chrome Extensions and Collecting Data

Every time you open LinkedIn in a Chromium-based browser, hidden JavaScript fires off thousands of requests to determine which extensions you have installed. The results — encrypted and paired with your real name, employer, and job title — are sent to LinkedIn's servers and at least one third-party cybersecurity firm. LinkedIn says it's protecting the platform. Critics say it's warrantless surveillance of a billion professionals.

What the Code Does

The mechanism is straightforward. LinkedIn embeds a JavaScript file with a randomized filename that attempts to access static file resources tied to specific Chrome extension IDs [1]. Each chrome-extension:// URL either resolves (extension present) or fails (extension absent). The binary results for all 6,236 targeted extensions are compiled, encrypted, and transmitted back to LinkedIn [2].

Beyond extension detection, the same script harvests a broad set of device fingerprinting signals: CPU core count, available memory, screen resolution, timezone, language settings, battery status, audio configuration, and storage capabilities [1][3]. Taken together, these attributes create a high-entropy fingerprint that can distinguish individual devices with near-certainty.

BleepingComputer independently verified the presence of the fingerprinting script on LinkedIn's website, confirming the core technical claims [1]. However, BleepingComputer noted it could not independently confirm how the collected data is used, whether it is shared with third parties, or establish a direct connection between detected extensions and LinkedIn enforcement actions [2].

The Scale: From 38 Extensions to 6,236

The scanning did not begin at this scale. According to the BrowserGate investigation by Fairlinked e.V., a German nonprofit representing commercial LinkedIn users and extension developers, LinkedIn's scan list contained just 38 extensions in 2017 [4]. By January 2024, the list had grown to 461. By mid-2025, independent researchers documented approximately 2,000 targeted extensions. A separate GitHub repository from December 2025 logged 5,459. By February 2026, the count reached 6,167. As of April 2026, it stands at 6,236 — a 1,252% increase from January 2024 alone [1][5].

Source: BrowserGate / Fairlinked e.V.

Data as of Apr 3, 2026CSV

This trajectory raises a question that LinkedIn has not answered: if the scanning is purely defensive, why has the target list expanded at an accelerating rate, and what process determines which extensions are added?

What Gets Flagged — and What That Reveals

The composition of the 6,236-extension list is where LinkedIn's anti-fraud justification faces its sharpest scrutiny.

The largest single category is job search tools — 509 extensions with a combined user base of roughly 1.4 million people [4][6]. For a platform whose revenue depends on recruiting products like LinkedIn Recruiter and LinkedIn Jobs, knowing which users are secretly job-hunting — and which tools they use to do it — has obvious commercial value.

Over 200 of the targeted extensions are direct competitors to LinkedIn's own sales and recruiting products, including tools from Apollo, Lusha, and ZoomInfo [5][7]. Because LinkedIn knows each user's employer and job title, the scan results effectively map which companies use which competing sales intelligence platforms — intelligence that LinkedIn's sales team could, in theory, use to target competitive displacement campaigns.

Source: BrowserGate / Fairlinked e.V.

Data as of Apr 3, 2026CSV

The list also includes extensions that reveal protected personal characteristics. Fairlinked's analysis identified extensions associated with religious practice (including PordaAI, an Islamic values content filter, and Deen Shield, a Quran-related tool), political orientation (Anti-Woke, Vote With Your Money), and disability or neurodivergence (Simplify, designed for neurodivergent users) [4][6]. Under European law, data that reveals religious beliefs, political opinions, or health conditions is classified as "special category data" under GDPR Article 9 and is prohibited from processing without explicit consent [4].

LinkedIn has stated: "We do not use this data to infer sensitive information about members" [2]. But privacy law in the EU does not hinge on intent. The Court of Justice of the European Union has ruled that data "revealing" protected characteristics falls under Article 9 regardless of whether the data controller intended to draw such inferences [4].

The Third-Party Pipeline

The data does not stay solely within LinkedIn's systems. The BrowserGate investigation identified a hidden tracking element loaded from HUMAN Security (formerly PerimeterX), an American-Israeli cybersecurity firm [5][7]. The element — an iframe loaded from li.protechts.net — is zero pixels wide, positioned off-screen, and marked aria-hidden="true". It sets cookies on users' browsers without their knowledge [7].

HUMAN Security specializes in bot detection and ad fraud prevention, and its technology is used by many major websites. The presence of its tracking infrastructure on LinkedIn does not by itself prove misuse. But the BrowserGate report argues that the combination of extension fingerprinting data and HUMAN Security's behavioral analysis creates a surveillance apparatus that goes well beyond standard bot detection [5].

LinkedIn has not disclosed the full list of third parties receiving scan data, nor has it clarified what contractual limits govern how those third parties may use it [2].

LinkedIn's Defense — and Where It Breaks Down

LinkedIn's position is unambiguous. A spokesperson told BleepingComputer: "To protect the privacy of our members, their data, and to ensure site stability, we do look for extensions that scrape data without members' consent or otherwise violate LinkedIn's Terms of Service" [1].

This framing has merit. Data scraping is a genuine and well-documented problem for LinkedIn. The company has fought multiple legal battles against scraping operations, most notably in hiQ Labs v. LinkedIn, which reached the U.S. Supreme Court [8]. Extensions that automate data extraction from LinkedIn profiles do exist, and detecting them is a legitimate platform integrity concern.

Extension enumeration as a bot-detection signal is also not unique to LinkedIn. HUMAN Security's technology is deployed across many high-traffic websites, and checking for known automation extensions is a standard component of bot-detection frameworks [9]. The technique of probing chrome-extension:// URLs to detect installed extensions has been documented in academic research since at least 2017 [10].

The anti-fraud argument starts to weaken, however, on three fronts.

Scope. If the goal is to detect scraping tools, a list of a few dozen known scraper extensions would suffice. A list of 6,236 — including job search tools, religious extensions, and political opinion indicators — goes far beyond what any reasonable anti-scraping program requires [4][6].

Disclosure. LinkedIn's privacy policy makes no mention of extension scanning [4]. If this were a routine, defensible security practice, the absence of any disclosure is difficult to explain. Standard industry practice for fingerprinting-based fraud detection is to describe the data collection in a privacy policy, even if the specific signals are not enumerated.

Competitive intelligence. The heavy representation of direct competitor products — Apollo, Lusha, ZoomInfo, and over 200 other sales tools — suggests a secondary purpose beyond security. LinkedIn has not explained why it needs to detect whether a user has installed a competitor's Chrome extension to protect the platform from scraping [5][7].

Legal Exposure Across Multiple Jurisdictions

The legal terrain is significant. Fairlinked's analysis, detailed on the BrowserGate website, identifies potential violations across several regulatory frameworks [4]:

GDPR (EU). The scanning lacks a valid legal basis under Article 6, as it is neither consensual nor contractually necessary. The collection of data revealing religious beliefs, political opinions, and health conditions without explicit consent violates Article 9. The absence of any disclosure violates Articles 13 and 14. Maximum penalties under GDPR reach 4% of global annual revenue — which for Microsoft (LinkedIn's parent company, with fiscal year 2025 revenue of $281.72 billion) could theoretically reach approximately $11.27 billion [4].

ePrivacy Directive. The directive requires consent before accessing data stored on a user's terminal equipment. LinkedIn fires 6,222 fetch requests to chrome-extension:// URLs on each page load without authorization. Germany's transposition of this directive (TTDSG § 25) carries penalties of up to €300,000 per violation [4].

CCPA/CPRA (California). The extension data, tied to identified LinkedIn users, constitutes "personal information" under CCPA § 1798.140(v). Extensions revealing religious beliefs or health conditions fall under the CPRA's "sensitive personal information" category. Statutory penalties range from $2,500 to $7,500 per violation [4].

Computer Fraud and Abuse Act (U.S.). The BrowserGate report raises this statute but the argument is less developed. The CFAA generally requires "unauthorized access" to a "protected computer," and courts have interpreted this narrowly in the context of client-side web interactions.

In January 2026, Estonian software company Teamfluence Signal Systems OÜ filed a preliminary injunction against LinkedIn Ireland Unlimited Company and LinkedIn Germany GmbH at the Regional Court of Munich (Case No. 37 O 104/26), alleging violations of the Digital Markets Act, EU competition law, and German data protection rules [11]. The case is represented by Glade Michel Wirtz, the firm that secured the first successful DMA-based private enforcement action against Google [11]. The presiding judge, Dr. Michaela Althaus, previously ruled against Google in a competition law injunction proceeding [11].

No EU data protection authority has publicly confirmed opening a formal investigation as of early April 2026, though the Irish Data Protection Commission serves as the lead supervisory authority for LinkedIn's EU operations and would be the primary venue for GDPR complaints [4].

How Does LinkedIn Compare to the Industry?

Browser fingerprinting is widespread. A 2016 academic study of the top one million websites found tracking services from Google and Facebook present on over 10% of sites [10]. Canvas fingerprinting, font enumeration, and WebGL probing are common techniques. Google itself shifted policy in early 2025 to permit digital fingerprinting as a tracking mechanism for advertisers, a move criticized by privacy advocates [12].

But extension enumeration at LinkedIn's scale appears to be an outlier. While bot-detection services like HUMAN Security, Akamai, and Cloudflare check for a limited set of known automation extensions, no other major social platform has been documented probing for more than 6,000 extensions, including religious, political, and disability-related tools [1][5]. Meta, Google, and X use fingerprinting techniques, but published research has not identified extension scanning at comparable breadth.

Apple maintains the strictest position among browser vendors: fingerprinting is "never allowed" on Safari, and the browser aggressively neutralizes high-entropy attributes [12]. Firefox's architecture prevents the chrome-extension:// probing technique entirely, which means Firefox and Safari users are not affected by LinkedIn's scanning [13].

Who Is Affected and What Can Users Do

The scanning affects users visiting LinkedIn through any Chromium-based browser — Chrome, Edge, Brave, Opera, and others. Firefox and Safari users are not currently affected because those browsers do not expose the chrome-extension:// URL scheme [13].

The BrowserGate report estimates that up to 405 million people worldwide may be affected [5], though this figure depends on what proportion of LinkedIn's billion-plus users access the site through Chromium browsers. LinkedIn has not disclosed its browser share statistics.

There is no opt-out toggle within LinkedIn's settings for extension scanning specifically. LinkedIn's advertising preferences allow users to limit ad tracking, but these settings do not govern the fingerprinting script [13].

Users who want to avoid the scanning have limited options: use Firefox or Safari for LinkedIn, create a dedicated Chrome profile with no extensions installed, or use Brave browser, which blocks the key tracking endpoints (/sensorCollect and li.protechts.net) by default [13].

Under GDPR and CCPA, users have the right to request access to and deletion of personal data. Whether LinkedIn would comply with a deletion request specifically targeting extension scan data has not been tested. LinkedIn has not committed to any concrete changes to the practice, nor indicated a timeline for updating its privacy policy to disclose the scanning [2].

The Disclosure That Triggered the Fallout

LinkedIn has suggested the BrowserGate investigation originated from a commercial dispute. The company told reporters that the report stems from the developers behind Teamfluence, a LinkedIn-related browser extension that LinkedIn restricted for violating its terms of service [1]. This is partially accurate — Teamfluence is the company that filed the Munich injunction — but the technical findings have been independently verified by BleepingComputer and documented in multiple GitHub repositories [1][5].

The timeline of public scrutiny began in 2025 when independent researchers first documented the scanning at approximately 2,000 extensions. The Fairlinked/BrowserGate investigation, which provides the most comprehensive analysis, was published in early April 2026 [5]. LinkedIn has not indicated whether it altered the scanning behavior in response to the earlier 2025 reports; the continued growth of the extension list from 2,000 to 6,236 between mid-2025 and April 2026 suggests it did not [1][5].

What Comes Next

The Munich court proceedings, the possibility of GDPR complaints to the Irish DPC, and growing public awareness create a set of pressures that LinkedIn and Microsoft will need to address with more than a one-sentence statement about protecting platform integrity.

The core tension is real: platforms do need to defend against automated scraping and bot activity, and extension detection is one tool in that arsenal. But the gap between detecting a handful of known scraping tools and cataloging 6,236 extensions — including ones that reveal whether a user is a practicing Muslim, a job-seeker, or a user of a competitor's product — is wide enough to demand a more detailed explanation than LinkedIn has so far provided.

The company has three options: transparently disclose the practice in its privacy policy and provide an opt-out mechanism, narrow the extension list to genuinely security-relevant tools, or defend the current scope in court. The first option is the least costly. Whether LinkedIn chooses it may reveal more about the program's true purpose than any code review could.