LinkedIn browser extension scanning: Difference between revisions
new page on linkedin's browser-extension scanning, the browsergate report, microsoft's response, and the two california class actions |
cited each screenshot in its caption and spelled out which court case linkedin's statement refers to |
||
| (One intermediate revision by the same user not shown) | |||
| Line 13: | Line 13: | ||
== Background == | == Background == | ||
LinkedIn is a professional-networking service with more than one billion members.<ref name="tnw" /> [[Microsoft]] acquired the company in 2016 for $26.2 billion.<ref name="msft" /> The service has drawn regulatory scrutiny over its data handling before BrowserGate. In October 2024 the Irish Data Protection Commission fined LinkedIn 310 million euros, about $334 million, over processing personal data for targeted advertising without a valid legal basis.<ref name="tnw" /> | LinkedIn is a professional-networking service with more than one billion members.<ref name="tnw" /> [[Microsoft]] acquired the company in 2016 for $26.2 billion.<ref name="msft" /> The service has drawn regulatory scrutiny over its data handling before BrowserGate. In October 2024 the Irish Data Protection Commission fined LinkedIn 310 million euros, about $334 million, over processing personal data for targeted advertising without a valid legal basis.<ref name="tnw" /><ref name="dpc" /> | ||
[[File:LinkedIn BrowserGate Irish DPC fine.png|thumb|center|upright=2.0|The Irish Data Protection Commission's press release on its 310 million euro fine of LinkedIn Ireland, dated October 24, 2024.<ref name="dpc" />]] | |||
Browser extensions on Chromium-based browsers are addressed through fixed, enumerable identifiers. A web page can test whether a given extension is installed by attempting to load a file resource that the extension exposes under its known ID, & inferring the result from whether the load succeeds.<ref name="bleeping" /> | Browser extensions on Chromium-based browsers are addressed through fixed, enumerable identifiers. A web page can test whether a given extension is installed by attempting to load a file resource that the extension exposes under its known ID, & inferring the result from whether the load succeeds.<ref name="bleeping" /> | ||
| Line 24: | Line 26: | ||
BleepingComputer independently confirmed part of the claims through its own testing, during which it observed a JavaScript file with a randomized filename being loaded by LinkedIn's website.<ref name="bleeping" /> The total count of probed extensions came from the researchers rather than from BleepingComputer's own tally. The BrowserGate report counted 6,222 extensions, a figure repeated by PCMag & in the two lawsuits, while BleepingComputer's own testing found a script checking 6,236.<ref name="pcmag" /><ref name="bleeping" /> | BleepingComputer independently confirmed part of the claims through its own testing, during which it observed a JavaScript file with a randomized filename being loaded by LinkedIn's website.<ref name="bleeping" /> The total count of probed extensions came from the researchers rather than from BleepingComputer's own tally. The BrowserGate report counted 6,222 extensions, a figure repeated by PCMag & in the two lawsuits, while BleepingComputer's own testing found a script checking 6,236.<ref name="pcmag" /><ref name="bleeping" /> | ||
[[File:LinkedIn BrowserGate BleepingComputer verification.png|thumb|center|upright=2.2|BleepingComputer reported observing LinkedIn's scanning script and counting a check for 6,236 extensions, stating that it confirmed part of the BrowserGate findings through its own testing.<ref name="bleeping" />]] | |||
== Discovery and disclosure == | == Discovery and disclosure == | ||
| Line 30: | Line 34: | ||
LinkedIn tied the report to a prior legal dispute. The company says the report stems from a dispute with the developer of a LinkedIn-related browser extension called Teamfluence, which LinkedIn restricted for violating its terms.<ref name="bleeping" /> The developer, Teamfluence Signal Systems OÜ, sought a preliminary injunction against LinkedIn Ireland Unlimited Company & LinkedIn Germany GmbH at the Regional Court of Munich in January 2026.<ref name="browsergate" /> In March 2026 the court dismissed the motion, finding that LinkedIn's actions did not constitute unlawful obstruction or discrimination.<ref name="cso" /><ref name="bleeping" /> | LinkedIn tied the report to a prior legal dispute. The company says the report stems from a dispute with the developer of a LinkedIn-related browser extension called Teamfluence, which LinkedIn restricted for violating its terms.<ref name="bleeping" /> The developer, Teamfluence Signal Systems OÜ, sought a preliminary injunction against LinkedIn Ireland Unlimited Company & LinkedIn Germany GmbH at the Regional Court of Munich in January 2026.<ref name="browsergate" /> In March 2026 the court dismissed the motion, finding that LinkedIn's actions did not constitute unlawful obstruction or discrimination.<ref name="cso" /><ref name="bleeping" /> | ||
[[File:LinkedIn BrowserGate Munich dismissal.png|thumb|center|upright=2.2|Fairlinked's BrowserGate page logs the January 2026 injunction filing against two LinkedIn entities and the Regional Court of Munich's dismissal of the motion on March 11, 2026.<ref name="browsergate" />]] | |||
== Competitor-tool targeting == | == Competitor-tool targeting == | ||
| Line 45: | Line 51: | ||
<blockquote>''This is a house of cards built entirely upon a fabrication. We do disclose that we scan for browser extensions in our Privacy Policy, in order to detect abuse and provide defense for site stability.''</blockquote><ref name="pcmag" /> | <blockquote>''This is a house of cards built entirely upon a fabrication. We do disclose that we scan for browser extensions in our Privacy Policy, in order to detect abuse and provide defense for site stability.''</blockquote><ref name="pcmag" /> | ||
LinkedIn also | LinkedIn also tied the report to the Teamfluence dispute. It told PCMag that the report came from the developer whose extension LinkedIn had restricted & whose preliminary injunction the Regional Court of Munich dismissed:<ref name="bleeping" /> | ||
<blockquote>''Unfortunately, this is a case of an individual who lost in the court of law, but is seeking to re-litigate in the court of public opinion without regard for accuracy.''</blockquote><ref name="pcmag" /> | <blockquote>''Unfortunately, this is a case of an individual who lost in the court of law, but is seeking to re-litigate in the court of public opinion without regard for accuracy.''</blockquote><ref name="pcmag" /> | ||
The ''court of law'' in that statement is the Munich injunction case, which the developer lost; the ''court of public opinion'' is the BrowserGate report & its press coverage.<ref name="bleeping" /> | |||
To The Next Web, the company said it looks for extensions ''that scrape data without members' consent or otherwise violate LinkedIn's Terms of Service'' to protect member privacy, data, & site stability.<ref name="tnw" /> LinkedIn's privacy policy states that it collects information about users' devices, including their web browser & add-ons.<ref name="mediapost" /> The BrowserGate report's position is that scanning thousands of specific third-party extensions without an explicit consent dialog is not meaningfully disclosed.<ref name="tnw" /> | To The Next Web, the company said it looks for extensions ''that scrape data without members' consent or otherwise violate LinkedIn's Terms of Service'' to protect member privacy, data, & site stability.<ref name="tnw" /> LinkedIn's privacy policy states that it collects information about users' devices, including their web browser & add-ons.<ref name="mediapost" /> The BrowserGate report's position is that scanning thousands of specific third-party extensions without an explicit consent dialog is not meaningfully disclosed.<ref name="tnw" /> | ||
| Line 54: | Line 62: | ||
Two separate class actions were filed against LinkedIn in the U.S. District Court for the Northern District of California in early April 2026.<ref name="privacydaily" /><ref name="bloomberg" /> One, brought by Nicholas Farrell, is case No. 4:26-cv-02953.<ref name="privacydaily" /> The other, brought by Jeff Ganan, is case No. 5:26-cv-02968; the Ganan complaint was filed on April 6, 2026 by the Law Office of J.R. Howell & accused LinkedIn of running a ''covert browser surveillance system''.<ref name="privacydaily" /><ref name="ppc" /> | Two separate class actions were filed against LinkedIn in the U.S. District Court for the Northern District of California in early April 2026.<ref name="privacydaily" /><ref name="bloomberg" /> One, brought by Nicholas Farrell, is case No. 4:26-cv-02953.<ref name="privacydaily" /> The other, brought by Jeff Ganan, is case No. 5:26-cv-02968; the Ganan complaint was filed on April 6, 2026 by the Law Office of J.R. Howell & accused LinkedIn of running a ''covert browser surveillance system''.<ref name="privacydaily" /><ref name="ppc" /> | ||
[[File:LinkedIn BrowserGate Ganan complaint.png|thumb|center|upright=2.2|PPC Land's account of the Ganan v. LinkedIn complaint, filed April 6, 2026 as case No. 5:26-cv-02968 by the Law Office of J.R. Howell.<ref name="ppc" />]] | |||
The complaints plead causes of action including the California Comprehensive Computer Data Access & Fraud Act, invasion of privacy under the California Constitution, intrusion upon seclusion, the federal Electronic Communications Privacy Act, & California penal-code provisions covering the illegal use of a pen register or trap-and-trace device.<ref name="privacydaily" /> PCMag & Bloomberg Law reported on the same conduct underlying both suits.<ref name="pcmag" /><ref name="bloomberg" /> | The complaints plead causes of action including the California Comprehensive Computer Data Access & Fraud Act, invasion of privacy under the California Constitution, intrusion upon seclusion, the federal Electronic Communications Privacy Act, & California penal-code provisions covering the illegal use of a pen register or trap-and-trace device.<ref name="privacydaily" /> PCMag & Bloomberg Law reported on the same conduct underlying both suits.<ref name="pcmag" /><ref name="bloomberg" /> | ||
| Line 77: | Line 87: | ||
<ref name="browsergate">{{Cite web |title=First court action over DMA access |url=https://browsergate.eu/updates/first-court-action-over-dma-access/ |website=BrowserGate (Fairlinked e.V.) |date=2026-03-11 |access-date=2026-06-14}}</ref> | <ref name="browsergate">{{Cite web |title=First court action over DMA access |url=https://browsergate.eu/updates/first-court-action-over-dma-access/ |website=BrowserGate (Fairlinked e.V.) |date=2026-03-11 |access-date=2026-06-14}}</ref> | ||
<ref name="msft">{{Cite web |title=Microsoft to acquire LinkedIn |url=https://news.microsoft.com/2016/06/13/microsoft-to-acquire-linkedin/ |website=Microsoft News Center |date=2016-06-13 |access-date=2026-06-14}}</ref> | <ref name="msft">{{Cite web |title=Microsoft to acquire LinkedIn |url=https://news.microsoft.com/2016/06/13/microsoft-to-acquire-linkedin/ |website=Microsoft News Center |date=2016-06-13 |access-date=2026-06-14}}</ref> | ||
<ref name="dpc">{{Cite web |title=Irish Data Protection Commission fines LinkedIn Ireland €310 million |url=https://www.dataprotection.ie/en/news-media/press-releases/irish-data-protection-commission-fines-linkedin-ireland-eu310-million |website=Data Protection Commission |date=2024-10-24 |access-date=2026-06-14}}</ref> | |||
<ref name="safestate">{{Cite web |title=LinkedIn's BrowserGate Exposes Covert Scanning of 6,000 Extensions |url=https://www.safestate.com/post/linkedins-browsergate-exposes-covert-scanning-of-6000-extensions |website=SafeState |date=2026-04-15 |access-date=2026-06-14}}</ref> | <ref name="safestate">{{Cite web |title=LinkedIn's BrowserGate Exposes Covert Scanning of 6,000 Extensions |url=https://www.safestate.com/post/linkedins-browsergate-exposes-covert-scanning-of-6000-extensions |website=SafeState |date=2026-04-15 |access-date=2026-06-14}}</ref> | ||
</references> | </references> | ||
Latest revision as of 18:17, 14 June 2026
BrowserGate is the name given to the April 2026 disclosure that LinkedIn's website runs hidden JavaScript probing a visitor's Chromium-based browser for thousands of installed extensions while collecting device and browser data, with no entry in any consent dialog.[1][2] The probe checks for extensions by trying to access file resources tied to specific extension IDs, a known detection technique, & it gathers details such as CPU core count, available memory, screen resolution, time zone, & battery status.[1][3] Two class actions followed in the U.S. District Court for the Northern District of California in April 2026, accusing LinkedIn & its owner Microsoft of covert surveillance; LinkedIn called the underlying report a house of cards built entirely upon a fabrication & said its Privacy Policy discloses extension scanning to detect abuse & protect site stability.[4][5]
Background
[edit | edit source]LinkedIn is a professional-networking service with more than one billion members.[2] Microsoft acquired the company in 2016 for $26.2 billion.[6] The service has drawn regulatory scrutiny over its data handling before BrowserGate. In October 2024 the Irish Data Protection Commission fined LinkedIn 310 million euros, about $334 million, over processing personal data for targeted advertising without a valid legal basis.[2][7]
Browser extensions on Chromium-based browsers are addressed through fixed, enumerable identifiers. A web page can test whether a given extension is installed by attempting to load a file resource that the extension exposes under its known ID, & inferring the result from whether the load succeeds.[1]
The scanning mechanism
[edit | edit source]LinkedIn's site loads JavaScript that checks for installed browser extensions by attempting to access file resources associated with a specific extension ID, the established method for detecting whether an extension is present.[1] The same script collects device & browser telemetry: CPU core count, available memory, screen resolution, time zone, language settings, battery status, audio information, & storage features.[1][3]
The technique works only on Chromium-based browsers, such as Chrome, Edge, Brave, & Opera. Firefox & Safari are not affected, because their browser architectures do not permit the same probing method.[2][8] LinkedIn loads the script under a randomized filename that it rotates, which frustrates blocking the script by its name alone.[1]
BleepingComputer independently confirmed part of the claims through its own testing, during which it observed a JavaScript file with a randomized filename being loaded by LinkedIn's website.[1] The total count of probed extensions came from the researchers rather than from BleepingComputer's own tally. The BrowserGate report counted 6,222 extensions, a figure repeated by PCMag & in the two lawsuits, while BleepingComputer's own testing found a script checking 6,236.[4][1]
Discovery and disclosure
[edit | edit source]The report was published in early April 2026 by Fairlinked e.V., described by reporters as a European association of commercial LinkedIn users, & was dubbed BrowserGate, with findings posted at browsergate.eu.[2][9] Mainstream technology press, including BleepingComputer, Tom's Hardware, & The Next Web, covered the report within days.[1][10][2]
LinkedIn tied the report to a prior legal dispute. The company says the report stems from a dispute with the developer of a LinkedIn-related browser extension called Teamfluence, which LinkedIn restricted for violating its terms.[1] The developer, Teamfluence Signal Systems OÜ, sought a preliminary injunction against LinkedIn Ireland Unlimited Company & LinkedIn Germany GmbH at the Regional Court of Munich in January 2026.[11] In March 2026 the court dismissed the motion, finding that LinkedIn's actions did not constitute unlawful obstruction or discrimination.[12][1]
Competitor-tool targeting
[edit | edit source]According to the BrowserGate report, the probed extensions include sales-intelligence tools from Apollo, Lusha, & ZoomInfo that compete with LinkedIn's own products, & the report says LinkedIn scans more than 200 competing products in total.[10] Tom's Hardware corroborated only a general growth trend in the scan list through public GitHub repositories, noting roughly 2,000 entries in 2025 & roughly 3,000 by February 2026.[10]
Sensitive-category and scale claims
[edit | edit source]According to the BrowserGate report, the scan list grew from 38 extensions in 2017 to 6,222 by April 2026.[8] The report says the list includes extensions associated with religious practice, political affiliation, & neurodivergence, which it frames as enabling sensitive profiling.[8] LinkedIn says it does not use the data to infer sensitive information about members.[10] The report further argues that the scanning implicates special-category personal data protections under the GDPR.[2]
LinkedIn's response
[edit | edit source]LinkedIn rejected the report & defended the scanning as a security measure. The company told PCMag that the report was without foundation & that the scanning is disclosed:
This is a house of cards built entirely upon a fabrication. We do disclose that we scan for browser extensions in our Privacy Policy, in order to detect abuse and provide defense for site stability.
LinkedIn also tied the report to the Teamfluence dispute. It told PCMag that the report came from the developer whose extension LinkedIn had restricted & whose preliminary injunction the Regional Court of Munich dismissed:[1]
Unfortunately, this is a case of an individual who lost in the court of law, but is seeking to re-litigate in the court of public opinion without regard for accuracy.
The court of law in that statement is the Munich injunction case, which the developer lost; the court of public opinion is the BrowserGate report & its press coverage.[1]
To The Next Web, the company said it looks for extensions that scrape data without members' consent or otherwise violate LinkedIn's Terms of Service to protect member privacy, data, & site stability.[2] LinkedIn's privacy policy states that it collects information about users' devices, including their web browser & add-ons.[13] The BrowserGate report's position is that scanning thousands of specific third-party extensions without an explicit consent dialog is not meaningfully disclosed.[2]
Lawsuits
[edit | edit source]Two separate class actions were filed against LinkedIn in the U.S. District Court for the Northern District of California in early April 2026.[5][14] One, brought by Nicholas Farrell, is case No. 4:26-cv-02953.[5] The other, brought by Jeff Ganan, is case No. 5:26-cv-02968; the Ganan complaint was filed on April 6, 2026 by the Law Office of J.R. Howell & accused LinkedIn of running a covert browser surveillance system.[5][15]
The complaints plead causes of action including the California Comprehensive Computer Data Access & Fraud Act, invasion of privacy under the California Constitution, intrusion upon seclusion, the federal Electronic Communications Privacy Act, & California penal-code provisions covering the illegal use of a pen register or trap-and-trace device.[5] PCMag & Bloomberg Law reported on the same conduct underlying both suits.[4][14]
See also
[edit | edit source]References
[edit | edit source]- ↑ 1.00 1.01 1.02 1.03 1.04 1.05 1.06 1.07 1.08 1.09 1.10 1.11 1.12 1.13 Abrams, Lawrence (2026-04-03). "LinkedIn secretly scans for 6,000+ Chrome extensions, collects data". BleepingComputer. Retrieved 2026-06-14.
- ↑ 2.0 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 Dina, Cristian (2026-04-05). "LinkedIn is secretly scanning your browser for 6,000 extensions, and you weren't told". The Next Web. Retrieved 2026-06-14.
- ↑ 3.0 3.1 "LinkedIn uses hidden JavaScript to scan for over 6000 Chrome extensions on visitors' browsers". Ghacks. 2026-04-04. Retrieved 2026-06-14.
- ↑ 4.0 4.1 4.2 4.3 4.4 Kan, Michael (2026-04-07). "LinkedIn Hit With Class-Action Lawsuits Over Browser-Extension Scanning". PCMag. Retrieved 2026-06-14.
- ↑ 5.0 5.1 5.2 5.3 5.4 "Class Actions Accuse LinkedIn of Scanning Browser Extensions, Sharing Data". Privacy Daily. 2026-04-08. Retrieved 2026-06-14.
- ↑ "Microsoft to acquire LinkedIn". Microsoft News Center. 2016-06-13. Retrieved 2026-06-14.
- ↑ 7.0 7.1 "Irish Data Protection Commission fines LinkedIn Ireland €310 million". Data Protection Commission. 2024-10-24. Retrieved 2026-06-14.
- ↑ 8.0 8.1 8.2 "LinkedIn's BrowserGate Exposes Covert Scanning of 6,000 Extensions". SafeState. 2026-04-15. Retrieved 2026-06-14.
- ↑ "LinkedIn Faces Class Action Over Alleged Covert Scanning of Users' Browsers". CyberInsider. 2026-04-07. Retrieved 2026-06-14.
- ↑ 10.0 10.1 10.2 10.3 "LinkedIn scans visitors' browsers for over 6,000 Chrome extensions and collects device data". Tom's Hardware. 2026-04-04. Retrieved 2026-06-14.
- ↑ 11.0 11.1 "First court action over DMA access". BrowserGate (Fairlinked e.V.). 2026-03-11. Retrieved 2026-06-14.
- ↑ "Questions raised about how LinkedIn uses the petabytes of data it collects". CSO Online. 2026-04-08. Retrieved 2026-06-14.
- ↑ "LinkedIn Hit With Privacy Suits Over Browser Scans". MediaPost. 2026-04-08. Retrieved 2026-06-14.
- ↑ 14.0 14.1 "LinkedIn Hit With Two Suits Over Browser Extension Tracking". Bloomberg Law. 2026-04-08. Retrieved 2026-06-14.
- ↑ 15.0 15.1 "LinkedIn hit with class action over hidden browser scan of 6,000 extensions". PPC Land. 2026-04-08. Retrieved 2026-06-14.