LinkedIn browser extension scanning

BrowserGate is the name given to the April 2026 disclosure that LinkedIn's website runs hidden JavaScript probing a visitor's Chromium-based browser for thousands of installed extensions while collecting device and browser data, with no entry in any consent dialog.^[1][2] The probe checks for extensions by trying to access file resources tied to specific extension IDs, a known detection technique, & it gathers details such as CPU core count, available memory, screen resolution, time zone, & battery status.^[1][3] Two class actions followed in the U.S. District Court for the Northern District of California in April 2026, accusing LinkedIn & its owner Microsoft of covert surveillance; LinkedIn called the underlying report a house of cards built entirely upon a fabrication & said its Privacy Policy discloses extension scanning to detect abuse & protect site stability.^[4][5]

LinkedIn is a professional-networking service with more than one billion members.^[2] Microsoft acquired the company in 2016 for $26.2 billion.^[6] The service has drawn regulatory scrutiny over its data handling before BrowserGate. In October 2024 the Irish Data Protection Commission fined LinkedIn 310 million euros, about $334 million, over processing personal data for targeted advertising without a valid legal basis.^[2][7]

Browser extensions on Chromium-based browsers are addressed through fixed, enumerable identifiers. A web page can test whether a given extension is installed by attempting to load a file resource that the extension exposes under its known ID, & inferring the result from whether the load succeeds.^[1]

LinkedIn's site loads JavaScript that checks for installed browser extensions by attempting to access file resources associated with a specific extension ID, the established method for detecting whether an extension is present.^[1] The same script collects device & browser telemetry: CPU core count, available memory, screen resolution, time zone, language settings, battery status, audio information, & storage features.^[1][3]

The technique works only on Chromium-based browsers, such as Chrome, Edge, Brave, & Opera. Firefox & Safari are not affected, because their browser architectures do not permit the same probing method.^[2][8] LinkedIn loads the script under a randomized filename that it rotates, which frustrates blocking the script by its name alone.^[1]

BleepingComputer independently confirmed part of the claims through its own testing, during which it observed a JavaScript file with a randomized filename being loaded by LinkedIn's website.^[1] The total count of probed extensions came from the researchers rather than from BleepingComputer's own tally. The BrowserGate report counted 6,222 extensions, a figure repeated by PCMag & in the two lawsuits, while BleepingComputer's own testing found a script checking 6,236.^[4][1]

The report was published in early April 2026 by Fairlinked e.V., described by reporters as a European association of commercial LinkedIn users, & was dubbed BrowserGate, with findings posted at browsergate.eu.^[2][9] Mainstream technology press, including BleepingComputer, Tom's Hardware, & The Next Web, covered the report within days.^[1][10][2]

LinkedIn tied the report to a prior legal dispute. The company says the report stems from a dispute with the developer of a LinkedIn-related browser extension called Teamfluence, which LinkedIn restricted for violating its terms.^[1] The developer, Teamfluence Signal Systems OÜ, sought a preliminary injunction against LinkedIn Ireland Unlimited Company & LinkedIn Germany GmbH at the Regional Court of Munich in January 2026.^[11] In March 2026 the court dismissed the motion, finding that LinkedIn's actions did not constitute unlawful obstruction or discrimination.^[12][1]

According to the BrowserGate report, the probed extensions include sales-intelligence tools from Apollo, Lusha, & ZoomInfo that compete with LinkedIn's own products, & the report says LinkedIn scans more than 200 competing products in total.^[10] Tom's Hardware corroborated only a general growth trend in the scan list through public GitHub repositories, noting roughly 2,000 entries in 2025 & roughly 3,000 by February 2026.^[10]

According to the BrowserGate report, the scan list grew from 38 extensions in 2017 to 6,222 by April 2026.^[8] The report says the list includes extensions associated with religious practice, political affiliation, & neurodivergence, which it frames as enabling sensitive profiling.^[8] LinkedIn says it does not use the data to infer sensitive information about members.^[10] The report further argues that the scanning implicates special-category personal data protections under the GDPR.^[2]

LinkedIn rejected the report & defended the scanning as a security measure. The company told PCMag that the report was without foundation & that the scanning is disclosed:

This is a house of cards built entirely upon a fabrication. We do disclose that we scan for browser extensions in our Privacy Policy, in order to detect abuse and provide defense for site stability.

^[4]

LinkedIn also tied the report to the Teamfluence dispute. It told PCMag that the report came from the developer whose extension LinkedIn had restricted & whose preliminary injunction the Regional Court of Munich dismissed:^[1]

Unfortunately, this is a case of an individual who lost in the court of law, but is seeking to re-litigate in the court of public opinion without regard for accuracy.

^[4]

The court of law in that statement is the Munich injunction case, which the developer lost; the court of public opinion is the BrowserGate report & its press coverage.^[1]

To The Next Web, the company said it looks for extensions that scrape data without members' consent or otherwise violate LinkedIn's Terms of Service to protect member privacy, data, & site stability.^[2] LinkedIn's privacy policy states that it collects information about users' devices, including their web browser & add-ons.^[13] The BrowserGate report's position is that scanning thousands of specific third-party extensions without an explicit consent dialog is not meaningfully disclosed.^[2]

Two separate class actions were filed against LinkedIn in the U.S. District Court for the Northern District of California in early April 2026.^[5][14] One, brought by Nicholas Farrell, is case No. 4:26-cv-02953.^[5] The other, brought by Jeff Ganan, is case No. 5:26-cv-02968; the Ganan complaint was filed on April 6, 2026 by the Law Office of J.R. Howell & accused LinkedIn of running a covert browser surveillance system.^[5][15]

The complaints plead causes of action including the California Comprehensive Computer Data Access & Fraud Act, invasion of privacy under the California Constitution, intrusion upon seclusion, the federal Electronic Communications Privacy Act, & California penal-code provisions covering the illegal use of a pen register or trap-and-trace device.^[5] PCMag & Bloomberg Law reported on the same conduct underlying both suits.^[4][14]

• LinkedIn
• Microsoft