LinkedIn scans browser extensions and fingerprints devices

A hidden script runs each time you visit LinkedIn in a Chrome-based browser, conducting a comprehensive scan of your device without your knowledge. This undisclosed process, which researchers have named BrowserGate, probes for over 6,000 installed browser extensions while gathering 48 distinct hardware and software characteristics to create a unique and persistent device fingerprint. While LinkedIn asserts this is a security measure, critics argue it represents covert, industrial-scale surveillance of its billion users, a practice not mentioned in the company’s privacy policy.

According to an investigation published in early April 2026 by the European association Fairlinked e. V., LinkedIn injects a 2.7-megabyte JavaScript bundle into its website. This code silently executes a scan, checking for the presence of thousands of specific Chrome extensions by attempting to access their unique files. Simultaneously, it collects a detailed profile of a user’s device, including CPU core count, screen resolution, memory, timezone, and audio hardware. This data is then encrypted and transmitted to LinkedIn’s servers, where it is attached to every subsequent API call a user makes during their session, accompanying every search, profile view, and message. Independent testing by BleepingComputer confirmed these technical facts, which LinkedIn does not dispute.

Internally, LinkedIn refers to this system as Spectroscopy. The operation fires thousands of simultaneous requests in the background with no user notification. The collected attributes, while common individually, combine to form a highly specific identifier that can track a user even after cookies are cleared. Once compiled, the data is serialized, encrypted with an RSA public key, and sent to telemetry endpoints. The resulting fingerprint is permanently injected as an HTTP header for the session’s duration.

The nature of the extensions LinkedIn scans for raises significant questions beyond simple fraud prevention. The target list reportedly includes more than 200 products that directly compete with LinkedIn’s own sales tools, such as Apollo, Lusha, and ZoomInfo. Given LinkedIn knows each user’s employer, systematically checking for these rival tools provides the platform with visibility into which companies are adopting competing software. The list also allegedly includes extensions related to neurodivergent conditions, religious practice, political interests, and job-hunting. In the European Union, such information qualifies as sensitive personal data under the GDPR, warranting heightened protection. Inferring a user’s job-seeking intentions from an installed extension, for example, is a significant deduction made without consent.

The scale of this operation has expanded dramatically. What began in 2017 as a scan for 38 extensions grew to 461 by 2024. By February 2026, the list had ballooned to 6,167 targets, a staggering increase of over 1,200 percent in just two years. BleepingComputer verified the scanning was still active in early April 2026.

LinkedIn has defended the practice as a security necessity. A company spokesperson stated the claims are “plain wrong” and linked the report’s source to an account restricted for scraping and violating terms of service. LinkedIn asserts it scans for extensions that scrape data without consent to protect member privacy and ensure site stability, adding it does not use the data to “infer sensitive information about members.”

The source of the investigation is part of an ongoing commercial dispute. Fairlinked e. V. is connected to Teamfluence Signal Systems OÜ, an Estonian company whose Chrome extension was restricted by LinkedIn for alleged policy violations. Teamfluence subsequently sought a preliminary injunction in a Munich court, alleging LinkedIn violated the Digital Markets Act and data protection rules. The court denied the injunction in January 2026. While the financial conflict frames the narrative, the technical findings of the scan have been independently verified.

This incident occurs against a backdrop of stringent European regulatory scrutiny. In October 2024, the Irish Data Protection Commission fined LinkedIn €310 million for processing user data for targeted advertising without a valid legal basis, ruling its consent mechanisms did not meet the GDPR’s “freely given” standard. The BrowserGate investigation now poses a new legal question: whether scanning for thousands of extensions constitutes processing special-category data, and if the total lack of user awareness invalidates any implied consent. Europe’s regulatory direction increasingly demands explicit disclosure of significant data collection, making a covert operation of this scale difficult to reconcile with compliance trends.

As a Microsoft subsidiary, LinkedIn’s vast dataset of professional identities is a cornerstone of Microsoft’s expanding AI ambitions. The relationship between these data collection practices and Microsoft’s broader AI strategy is not addressed in LinkedIn’s privacy policy.

For over a billion users, the practical implications are stark. The scan runs routinely on the devices of the global professional workforce using Chrome-based browsers, creating a persistent identifier. Short of switching to a non-Chromium browser like Firefox, there is no user-facing setting to prevent it; the platform offers no opt-out because it does not disclose the practice. The 2026 push for transparent AI and data governance is predicated on the idea that invisible, default collection of this kind is unacceptable. Whether regulators can compel change at LinkedIn’s scale is an open question. The growth of security firms designed to detect such covert harvesting indicates a wide gap between platform collection and user understanding, a lag that BrowserGate exemplifies from inside the browser itself.