The internet is full of claims that Microsoft’s LinkedIn is scanning users’ computers to fingerprint and profile LinkedIn users.
Most people in the cybersecurity industry have now heard of BrowserGate. Fewer people will understand it. But in a search for ‘BrowserGate’ on Chrome, Edge or Safari (as of today), the top return will be a page that reads in bold, “LinkedIn Is Illegally Searching Your Computer”. This is followed by the subtitle, “Microsoft is running one of the largest corporate espionage operations in modern history.”
BrowserGate is the eponymous name of the BrowserGate group (it describes itself as ‘Fairlinked… an association of commercial LinkedIn users’), that provides an exposé (that it names BrowserGate) and is located at the browsergate.eu URL.
According to the BrowserGate exposé, LinkedIn has been deceiving EU regulators. “In 2023, the EU designated LinkedIn as a regulated gatekeeper under the Digital Markets Act and ordered it to open its platform to third-party tools.” But LinkedIn’s primary response was to expand “its surveillance of the exact tools the regulation was designed to protect… from roughly 461 products in 2024 to over 6,000 by February 2026.”
In short, what BrowserGate describes as an attack happens silently through LinkedIn JavaScript. Whenever LinkedIn is opened on a Chrome-based browser, the JavaScript scans for approximately 6,000 browser extensions, collects the result, encrypts it, and transmits it to LinkedIn’s servers.
The presence of many of these extensions can supposedly profile the user’s political opinions, religious beliefs, disability, neurodivergence and sexuality, employment status, and company trade secrets. So, if BrowserGate is correct in describing the process as one of the largest corporate espionage operations in modern history, this is mighty disturbing.
LinkedIn, as you might expect, rejects this view. LinkedInHelp posted on Hacker News: “We use this data to determine which extensions violate our terms, to inform and improve our technical defenses, and to understand why a member account might be fetching an inordinate amount of other members’ data, which at scale, impacts site stability. We do not use this data to infer sensitive information about members.”
So, which is it: aggressive privacy intrusion and theft, or valid defense? Tyler Reguly, associate director of security R&D at Fortra, decided to look deeper and report his findings.
He describes the LinkedIn process as ‘resource probing’ to determine which out of more than 6,000 extensions are installed.
“Yes, LinkedIn was probing for a lot of extensions, but there was no scanning of your computer and no malicious code, just a simple JavaScript technique to determine if the extension was there.”
Reguly decided to test the resource probing and results obtained on a sample 10% of the 6,000+ extensions. “One extension refused to have its tab closed and reopened itself every time I closed it. Others changed my home screen, the about:blank page, and added bookmarks.” Another Rickrolled him, playing the ‘Never Gonna Give You Up’ video every time he opened his browser. “To say that a lot of these are the worst of the worst extensions out there is not an understatement.”
What’s more, statistically from his sample testing, he believes only around 2,000 could be detected by LinkedIn, when even 6,000 is just a small sub-set of the total number of extensions that exist. If LinkedIn was intent on fingerprinting or profiling its users, there are better methods than this.
“I don’t see anything that indicates malicious intent here,” he told SecurityWeek “It is discovering some information, yes, but I don’t think it crosses the threshold to malicious – I think that’s a very sensationalized view of what’s going on.”
Asked why LinkedIn is doing this, he replies, “I don’t know. But for me, a common trend across these extensions is that they have data scraping functionality and are not well known. And they were problematic at times. Many of them gave me that used-car-salesman vibe that you see in the movies,” he continued.
“I can’t help but wonder if LinkedIn wanted to know if these extensions were there to try and defend against them. I certainly wouldn’t want one of my LinkedIn contacts to be running these extensions and visit my page with these scrapers installed. I feel that a user with these extensions installed visiting my LinkedIn page is more of an affront to my privacy than LinkedIn checking to see if I have these extensions.”
This doesn’t mean that LinkedIn is absolved from all criticism of its behavior. It hasn’t made the process clear to its users. Whether It is intentionally engaged in fingerprinting or profiling its users or not, the action gets close to illegality in certain jurisdictions.
“The legality of such fingerprinting depends on the facts and jurisdiction,” comments Ilia Kolochenko, a lawyer focused on cybersecurity, data protection and privacy law, told SecurityWeek. “If used without notice and for commercial gain, in some countries, it may even constitute a criminal offense. In any case, if you don’t have a freely given and informed user consent to collect such data – that highly likely amounts to personal data under GDPR and most other privacy laws and regulations – the data collection may be a grave infringement of applicable privacy law.”
It would seem that LinkedIn should make its behavior very clear to its users, and that signing up is consenting to the process. But for Reguly, “I think the only downside I see is that LinkedIn wasn’t notifying you that you had these potentially problematic extensions installed.”
Personally, he writes, “I think that administrators and security folks should be celebrating this revelation – they now have a list of Extension IDs that they should block at their organization.”
But on the more sensationalist claims for BrowserGate, he concludes, “I can’t help but look at this as a giant nothingburger.”
Related: MI5 Warns Lawmakers That Chinese Spies Are Trying to Reach Them via LinkedIn
Related: LinkedIn Hit With 310 Million Euro Fine for Data Privacy Violations From Irish Watchdog
Related: Firefox 72 Blocks Fingerprinting Scripts by Default
Related: Austrian Regulator Says Google Analytics Contravenes GDPR
