LinkedIn browser extension scanning

LinkedIn is a professional-networking service with more than one billion members.^[2] Microsoft acquired the company in 2016 for $26.2 billion.^[6] The service has drawn regulatory scrutiny over its data handling before BrowserGate. In October 2024 the Irish Data Protection Commission fined LinkedIn 310 million euros, about $334 million, over processing personal data for targeted advertising without a valid legal basis.^[2]

Browser extensions on Chromium-based browsers are addressed through fixed, enumerable identifiers. A web page can test whether a given extension is installed by attempting to load a file resource that the extension exposes under its known ID, & inferring the result from whether the load succeeds.^[1]

LinkedIn's site loads JavaScript that checks for installed browser extensions by attempting to access file resources associated with a specific extension ID, the established method for detecting whether an extension is present.^[1] The same script collects device & browser telemetry: CPU core count, available memory, screen resolution, time zone, language settings, battery status, audio information, & storage features.^[1][3]

The technique works only on Chromium-based browsers, such as Chrome, Edge, Brave, & Opera. Firefox & Safari are not affected, because their browser architectures do not permit the same probing method.^[2][7] LinkedIn loads the script under a randomized filename that it rotates, which frustrates blocking the script by its name alone.^[1]

BleepingComputer independently confirmed part of the claims through its own testing, during which it observed a JavaScript file with a randomized filename being loaded by LinkedIn's website.^[1] The total count of probed extensions came from the researchers rather than from BleepingComputer's own tally. The BrowserGate report counted 6,222 extensions, a figure repeated by PCMag & in the two lawsuits, while BleepingComputer's own testing found a script checking 6,236.^[4][1]

The report was published in early April 2026 by Fairlinked e.V., described by reporters as a European association of commercial LinkedIn users, & was dubbed BrowserGate, with findings posted at browsergate.eu.^[2][8] Mainstream technology press, including BleepingComputer, Tom's Hardware, & The Next Web, covered the report within days.^[1][9][2]

LinkedIn tied the report to a prior legal dispute. The company says the report stems from a dispute with the developer of a LinkedIn-related browser extension called Teamfluence, which LinkedIn restricted for violating its terms.^[1] The developer, Teamfluence Signal Systems OÜ, sought a preliminary injunction against LinkedIn Ireland Unlimited Company & LinkedIn Germany GmbH at the Regional Court of Munich in January 2026.^[10] In March 2026 the court dismissed the motion, finding that LinkedIn's actions did not constitute unlawful obstruction or discrimination.^[11][1]

According to the BrowserGate report, the probed extensions include sales-intelligence tools from Apollo, Lusha, & ZoomInfo that compete with LinkedIn's own products, & the report says LinkedIn scans more than 200 competing products in total.^[9] Tom's Hardware corroborated only a general growth trend in the scan list through public GitHub repositories, noting roughly 2,000 entries in 2025 & roughly 3,000 by February 2026.^[9]

According to the BrowserGate report, the scan list grew from 38 extensions in 2017 to 6,222 by April 2026.^[7] The report says the list includes extensions associated with religious practice, political affiliation, & neurodivergence, which it frames as enabling sensitive profiling.^[7] LinkedIn says it does not use the data to infer sensitive information about members.^[9] The report further argues that the scanning implicates special-category personal data protections under the GDPR.^[2]

LinkedIn rejected the report & defended the scanning as a security measure. The company told PCMag that the report was without foundation & that the scanning is disclosed:

This is a house of cards built entirely upon a fabrication. We do disclose that we scan for browser extensions in our Privacy Policy, in order to detect abuse and provide defense for site stability.

^[4]

LinkedIn also linked the report to that developer, telling PCMag:

Unfortunately, this is a case of an individual who lost in the court of law, but is seeking to re-litigate in the court of public opinion without regard for accuracy.

^[4]

To The Next Web, the company said it looks for extensions that scrape data without members' consent or otherwise violate LinkedIn's Terms of Service to protect member privacy, data, & site stability.^[2] LinkedIn's privacy policy states that it collects information about users' devices, including their web browser & add-ons.^[12] The BrowserGate report's position is that scanning thousands of specific third-party extensions without an explicit consent dialog is not meaningfully disclosed.^[2]

Two separate class actions were filed against LinkedIn in the U.S. District Court for the Northern District of California in early April 2026.^[5][13] One, brought by Nicholas Farrell, is case No. 4:26-cv-02953.^[5] The other, brought by Jeff Ganan, is case No. 5:26-cv-02968; the Ganan complaint was filed on April 6, 2026 by the Law Office of J.R. Howell & accused LinkedIn of running a covert browser surveillance system.^[5][14]

The complaints plead causes of action including the California Comprehensive Computer Data Access & Fraud Act, invasion of privacy under the California Constitution, intrusion upon seclusion, the federal Electronic Communications Privacy Act, & California penal-code provisions covering the illegal use of a pen register or trap-and-trace device.^[5] PCMag & Bloomberg Law reported on the same conduct underlying both suits.^[4][13]

• LinkedIn
• Microsoft