Consumer Rights Wiki

LinkedIn browser extension scanning: Difference between revisions

← Older edit
VisualWikitext
added screenshots of the bleepingcomputer testing, the munich ruling, the irish dpc fine, and the ganan complaint
cited each screenshot in its caption and spelled out which court case linkedin's statement refers to
 
Line 13: Line 13:
== Background ==
== Background ==


LinkedIn is a professional-networking service with more than one billion members.<ref name="tnw" /> [[Microsoft]] acquired the company in 2016 for $26.2 billion.<ref name="msft" /> The service has drawn regulatory scrutiny over its data handling before BrowserGate. In October 2024 the Irish Data Protection Commission fined LinkedIn 310 million euros, about $334 million, over processing personal data for targeted advertising without a valid legal basis.<ref name="tnw" />
LinkedIn is a professional-networking service with more than one billion members.<ref name="tnw" /> [[Microsoft]] acquired the company in 2016 for $26.2 billion.<ref name="msft" /> The service has drawn regulatory scrutiny over its data handling before BrowserGate. In October 2024 the Irish Data Protection Commission fined LinkedIn 310 million euros, about $334 million, over processing personal data for targeted advertising without a valid legal basis.<ref name="tnw" /><ref name="dpc" />


[[File:LinkedIn BrowserGate Irish DPC fine.png|thumb|center|upright=2.0|The Irish Data Protection Commission's press release on its 310 million euro fine of LinkedIn Ireland, dated October 24, 2024.]]
[[File:LinkedIn BrowserGate Irish DPC fine.png|thumb|center|upright=2.0|The Irish Data Protection Commission's press release on its 310 million euro fine of LinkedIn Ireland, dated October 24, 2024.<ref name="dpc" />]]


Browser extensions on Chromium-based browsers are addressed through fixed, enumerable identifiers. A web page can test whether a given extension is installed by attempting to load a file resource that the extension exposes under its known ID, & inferring the result from whether the load succeeds.<ref name="bleeping" />
Browser extensions on Chromium-based browsers are addressed through fixed, enumerable identifiers. A web page can test whether a given extension is installed by attempting to load a file resource that the extension exposes under its known ID, & inferring the result from whether the load succeeds.<ref name="bleeping" />
Line 27: Line 27:
BleepingComputer independently confirmed part of the claims through its own testing, during which it observed a JavaScript file with a randomized filename being loaded by LinkedIn's website.<ref name="bleeping" /> The total count of probed extensions came from the researchers rather than from BleepingComputer's own tally. The BrowserGate report counted 6,222 extensions, a figure repeated by PCMag & in the two lawsuits, while BleepingComputer's own testing found a script checking 6,236.<ref name="pcmag" /><ref name="bleeping" />
BleepingComputer independently confirmed part of the claims through its own testing, during which it observed a JavaScript file with a randomized filename being loaded by LinkedIn's website.<ref name="bleeping" /> The total count of probed extensions came from the researchers rather than from BleepingComputer's own tally. The BrowserGate report counted 6,222 extensions, a figure repeated by PCMag & in the two lawsuits, while BleepingComputer's own testing found a script checking 6,236.<ref name="pcmag" /><ref name="bleeping" />


[[File:LinkedIn BrowserGate BleepingComputer verification.png|thumb|center|upright=2.2|BleepingComputer reported observing LinkedIn's scanning script and counting a check for 6,236 extensions, stating that it confirmed part of the BrowserGate findings through its own testing.]]
[[File:LinkedIn BrowserGate BleepingComputer verification.png|thumb|center|upright=2.2|BleepingComputer reported observing LinkedIn's scanning script and counting a check for 6,236 extensions, stating that it confirmed part of the BrowserGate findings through its own testing.<ref name="bleeping" />]]


== Discovery and disclosure ==
== Discovery and disclosure ==
Line 35: Line 35:
LinkedIn tied the report to a prior legal dispute. The company says the report stems from a dispute with the developer of a LinkedIn-related browser extension called Teamfluence, which LinkedIn restricted for violating its terms.<ref name="bleeping" /> The developer, Teamfluence Signal Systems OÜ, sought a preliminary injunction against LinkedIn Ireland Unlimited Company & LinkedIn Germany GmbH at the Regional Court of Munich in January 2026.<ref name="browsergate" /> In March 2026 the court dismissed the motion, finding that LinkedIn's actions did not constitute unlawful obstruction or discrimination.<ref name="cso" /><ref name="bleeping" />
LinkedIn tied the report to a prior legal dispute. The company says the report stems from a dispute with the developer of a LinkedIn-related browser extension called Teamfluence, which LinkedIn restricted for violating its terms.<ref name="bleeping" /> The developer, Teamfluence Signal Systems OÜ, sought a preliminary injunction against LinkedIn Ireland Unlimited Company & LinkedIn Germany GmbH at the Regional Court of Munich in January 2026.<ref name="browsergate" /> In March 2026 the court dismissed the motion, finding that LinkedIn's actions did not constitute unlawful obstruction or discrimination.<ref name="cso" /><ref name="bleeping" />


[[File:LinkedIn BrowserGate Munich dismissal.png|thumb|center|upright=2.2|Fairlinked's BrowserGate page logs the January 2026 injunction filing against two LinkedIn entities and the Regional Court of Munich's dismissal of the motion on March 11, 2026.]]
[[File:LinkedIn BrowserGate Munich dismissal.png|thumb|center|upright=2.2|Fairlinked's BrowserGate page logs the January 2026 injunction filing against two LinkedIn entities and the Regional Court of Munich's dismissal of the motion on March 11, 2026.<ref name="browsergate" />]]


== Competitor-tool targeting ==
== Competitor-tool targeting ==
Line 51: Line 51:
<blockquote>''This is a house of cards built entirely upon a fabrication. We do disclose that we scan for browser extensions in our Privacy Policy, in order to detect abuse and provide defense for site stability.''</blockquote><ref name="pcmag" />
<blockquote>''This is a house of cards built entirely upon a fabrication. We do disclose that we scan for browser extensions in our Privacy Policy, in order to detect abuse and provide defense for site stability.''</blockquote><ref name="pcmag" />


LinkedIn also linked the report to that developer, telling PCMag:
LinkedIn also tied the report to the Teamfluence dispute. It told PCMag that the report came from the developer whose extension LinkedIn had restricted & whose preliminary injunction the Regional Court of Munich dismissed:<ref name="bleeping" />


<blockquote>''Unfortunately, this is a case of an individual who lost in the court of law, but is seeking to re-litigate in the court of public opinion without regard for accuracy.''</blockquote><ref name="pcmag" />
<blockquote>''Unfortunately, this is a case of an individual who lost in the court of law, but is seeking to re-litigate in the court of public opinion without regard for accuracy.''</blockquote><ref name="pcmag" />
The ''court of law'' in that statement is the Munich injunction case, which the developer lost; the ''court of public opinion'' is the BrowserGate report & its press coverage.<ref name="bleeping" />


To The Next Web, the company said it looks for extensions ''that scrape data without members' consent or otherwise violate LinkedIn's Terms of Service'' to protect member privacy, data, & site stability.<ref name="tnw" /> LinkedIn's privacy policy states that it collects information about users' devices, including their web browser & add-ons.<ref name="mediapost" /> The BrowserGate report's position is that scanning thousands of specific third-party extensions without an explicit consent dialog is not meaningfully disclosed.<ref name="tnw" />
To The Next Web, the company said it looks for extensions ''that scrape data without members' consent or otherwise violate LinkedIn's Terms of Service'' to protect member privacy, data, & site stability.<ref name="tnw" /> LinkedIn's privacy policy states that it collects information about users' devices, including their web browser & add-ons.<ref name="mediapost" /> The BrowserGate report's position is that scanning thousands of specific third-party extensions without an explicit consent dialog is not meaningfully disclosed.<ref name="tnw" />
Line 61: Line 63:
Two separate class actions were filed against LinkedIn in the U.S. District Court for the Northern District of California in early April 2026.<ref name="privacydaily" /><ref name="bloomberg" /> One, brought by Nicholas Farrell, is case No. 4:26-cv-02953.<ref name="privacydaily" /> The other, brought by Jeff Ganan, is case No. 5:26-cv-02968; the Ganan complaint was filed on April 6, 2026 by the Law Office of J.R. Howell & accused LinkedIn of running a ''covert browser surveillance system''.<ref name="privacydaily" /><ref name="ppc" />
Two separate class actions were filed against LinkedIn in the U.S. District Court for the Northern District of California in early April 2026.<ref name="privacydaily" /><ref name="bloomberg" /> One, brought by Nicholas Farrell, is case No. 4:26-cv-02953.<ref name="privacydaily" /> The other, brought by Jeff Ganan, is case No. 5:26-cv-02968; the Ganan complaint was filed on April 6, 2026 by the Law Office of J.R. Howell & accused LinkedIn of running a ''covert browser surveillance system''.<ref name="privacydaily" /><ref name="ppc" />


[[File:LinkedIn BrowserGate Ganan complaint.png|thumb|center|upright=2.2|PPC Land's account of the Ganan v. LinkedIn complaint, filed April 6, 2026 as case No. 5:26-cv-02968 by the Law Office of J.R. Howell.]]
[[File:LinkedIn BrowserGate Ganan complaint.png|thumb|center|upright=2.2|PPC Land's account of the Ganan v. LinkedIn complaint, filed April 6, 2026 as case No. 5:26-cv-02968 by the Law Office of J.R. Howell.<ref name="ppc" />]]


The complaints plead causes of action including the California Comprehensive Computer Data Access & Fraud Act, invasion of privacy under the California Constitution, intrusion upon seclusion, the federal Electronic Communications Privacy Act, & California penal-code provisions covering the illegal use of a pen register or trap-and-trace device.<ref name="privacydaily" /> PCMag & Bloomberg Law reported on the same conduct underlying both suits.<ref name="pcmag" /><ref name="bloomberg" />
The complaints plead causes of action including the California Comprehensive Computer Data Access & Fraud Act, invasion of privacy under the California Constitution, intrusion upon seclusion, the federal Electronic Communications Privacy Act, & California penal-code provisions covering the illegal use of a pen register or trap-and-trace device.<ref name="privacydaily" /> PCMag & Bloomberg Law reported on the same conduct underlying both suits.<ref name="pcmag" /><ref name="bloomberg" />
Line 85: Line 87:
<ref name="browsergate">{{Cite web |title=First court action over DMA access |url=https://browsergate.eu/updates/first-court-action-over-dma-access/ |website=BrowserGate (Fairlinked e.V.) |date=2026-03-11 |access-date=2026-06-14}}</ref>
<ref name="browsergate">{{Cite web |title=First court action over DMA access |url=https://browsergate.eu/updates/first-court-action-over-dma-access/ |website=BrowserGate (Fairlinked e.V.) |date=2026-03-11 |access-date=2026-06-14}}</ref>
<ref name="msft">{{Cite web |title=Microsoft to acquire LinkedIn |url=https://news.microsoft.com/2016/06/13/microsoft-to-acquire-linkedin/ |website=Microsoft News Center |date=2016-06-13 |access-date=2026-06-14}}</ref>
<ref name="msft">{{Cite web |title=Microsoft to acquire LinkedIn |url=https://news.microsoft.com/2016/06/13/microsoft-to-acquire-linkedin/ |website=Microsoft News Center |date=2016-06-13 |access-date=2026-06-14}}</ref>
<ref name="dpc">{{Cite web |title=Irish Data Protection Commission fines LinkedIn Ireland €310 million |url=https://www.dataprotection.ie/en/news-media/press-releases/irish-data-protection-commission-fines-linkedin-ireland-eu310-million |website=Data Protection Commission |date=2024-10-24 |access-date=2026-06-14}}</ref>
<ref name="safestate">{{Cite web |title=LinkedIn's BrowserGate Exposes Covert Scanning of 6,000 Extensions |url=https://www.safestate.com/post/linkedins-browsergate-exposes-covert-scanning-of-6000-extensions |website=SafeState |date=2026-04-15 |access-date=2026-06-14}}</ref>
<ref name="safestate">{{Cite web |title=LinkedIn's BrowserGate Exposes Covert Scanning of 6,000 Extensions |url=https://www.safestate.com/post/linkedins-browsergate-exposes-covert-scanning-of-6000-extensions |website=SafeState |date=2026-04-15 |access-date=2026-06-14}}</ref>
</references>
</references>
Retrieved from "https://consumerrights.wiki/w/LinkedIn_browser_extension_scanning"