When you load LinkedIn in Chrome, Edge, Brave, Opera or Arc, tiny bits of JavaScript run that most people never notice — and for millions of users they may be doing more than just keeping the site smooth. A German privacy group, Fairlinked e.V., called the campaign “BrowserGate” after uncovering code in LinkedIn’s pages that probes browsers for thousands of installed Chrome extensions, compiles the results, encrypts them and sends that fingerprint back to LinkedIn and third parties.
What the scripts actually do
The technique is blunt and clever at once. LinkedIn’s page bundle contains a long list of Chrome extension IDs. The site’s code tries to load resources that only those extensions optionally expose; if a resource fetch succeeds, the extension is present. The whole check takes milliseconds and produces no visible sign for the user.
Fairlinked’s analysis says the list the code checks contains more than 6,000 extension identifiers. Independent reviewers note discrepancies — a GitHub audit found roughly 2,953 active IDs — but both paint the same picture: an unusually large, actively growing fingerprinting list. The behavior appears limited to Chromium-based browsers because it leverages the way Chrome’s extension system exposes identifiers; Firefox and Safari’s architectures aren’t affected by this particular probe.
Beyond simply cataloguing installed add-ons, the investigators warn about what those installs imply. The list included job-search helpers (Indeed, Glassdoor), accessibility tools and screen readers, political-leaning news addons, and extensions tied to health or neurodiversity support. Under EU law, data that reveals religious beliefs, political opinions or health conditions is “special category” data — processing it without explicit consent is highly restricted, and sometimes outright forbidden.
Fairlinked also flagged covert third-party elements. An off-screen, zero-pixel object from HUMAN Security (formerly PerimeterX) appears to set cookies; separate scripts from Google and LinkedIn collect and encrypt the scan results. BrowserGate claims LinkedIn has used data from these scans to identify users of third-party tools and to send legal threats to alleged rule-breakers.
Why regulators and privacy advocates are alarmed
This is not just academic: the probes turn per-user extension lists into identifiable profiles tied to real names, employers and job titles — the exact kind of data LinkedIn is built on. Aggregated across employees, those fingerprints become corporate intelligence, revealing which tools whole organizations rely on. Fairlinked has filed complaints and legal proceedings in Germany under the EU’s Digital Markets Act (DMA), arguing the practice violates transparency obligations for gatekeeper platforms and potentially crosses GDPR lines.
There’s a broader debate among security engineers about intent. Fingerprinting can be used legitimately — to detect bots, block fraud or protect services. Platforms have been experimenting with ways to separate human users from automation for years; some verification efforts are visible in other corners of the web and social platforms. But many experts say LinkedIn’s scale and the breadth of extensions checked go well beyond routine anti-bot hygiene. That tension — security measures colliding with user privacy — echoes other platform efforts to root out automation and abuse, and even how networks approach verification, as seen in recent moves to challenge suspicious accounts like Reddit's bot checks.
Numbers, timeline and accountability
Independent researchers found traces of this scanning behavior as far back as 2017, when the list contained a few dozen IDs. The array grew steadily: into the low thousands by early 2026 and, according to Fairlinked, ballooned to over 6,000 entries by February 2026. The rapid expansion — roughly a 1,252% jump from a few hundred entries in 2024, per the report — is one reason investigators suspect an active effort to broaden LinkedIn’s fingerprinting reach.
LinkedIn and Microsoft have not published a detailed public explanation at the time of the reports. Regulators across the EU have been notified; cases under the DMA and GDPR are being prepared. If authorities find undisclosed processing of special-category data or unlawful third-party transfers, the fines and orders could be significant — and would set a precedent for how platforms are allowed to inspect client-side environments.
Practical steps for users and admins
If you’re worried, there are immediate mitigations:
- Use Firefox or Safari for LinkedIn sessions — those browsers’ extension models aren’t susceptible to this particular detection method.
- Create a dedicated Chrome profile for LinkedIn with no extensions installed, or use a separate browser profile for social and professional sites.
- Brave blocks some of the implicated endpoints by default; script-blocking extensions and privacy tools can help, though they’re imperfect.
- Audit your installed extensions and consider whether any reveal sensitive personal attributes.
For organizations, this is another reminder to balance perimeter defense with platform oversight. Companies that take security seriously are already investing in threat detection and recovery — measures echoed by recent enterprise-focused updates such as Google’s steps to add AI ransomware detection to Drive and improve file recovery workflows illustrated in other enterprise coverage.
LinkedIn’s alleged scanning sits at an uncomfortable crossroads: a technical trick used at massive scale that can produce sensitive inferences about individuals and companies. Whether it was intended strictly as anti-fraud hygiene or as a competitive intelligence shortcut, regulators and courts will now decide whether the practice is legal — and what it means for the limits of client-side surveillance on mainstream platforms.
If you want to check whether extensions you use appear on the scan lists, Fairlinked published searchable data as part of the BrowserGate disclosure. For now, simple steps — switching browsers for LinkedIn or separating profiles — are the quickest way to limit exposure while the legal dust settles.
