Every time a professional opens LinkedIn in a Chrome-based browser today, hidden JavaScript silently probes their device for up to 6,278 installed browser extensions, encrypts the results, and transmits them to LinkedIn's servers — where they are attached to that user's verified name, employer, and career history. The covert system, which LinkedIn has never disclosed in its privacy policy, is now the subject of a federal class action lawsuit and a complaint to the European Commission, after independent security research confirmed the scanning was active as recently as this week.
The stakes are immediate for any of LinkedIn's more than one billion members who access the platform through Chrome, Edge, Brave, or Opera. Their browser inventories — which can reveal job-search activity, political affiliations, religious practices, health conditions, and the internal software their employers use — are being collected and linked to their real identities without their knowledge or consent, and with no opt-out mechanism available.
A Lawsuit Filed in April Calls the System Illegal
On April 6, 2026, plaintiff Jeff Ganan, a Los Angeles County sales professional, filed Ganan v. LinkedIn Corporation (Case 5:26-cv-02968) in the U.S. District Court for the Northern District of California on behalf of a proposed nationwide class of Chrome users. The complaint, brought by the Law Office of J.R. Howell, alleges violations of the federal Electronic Communications Privacy Act, the California Constitution's privacy protections, and the California Comprehensive Computer Data Access and Fraud Act. It seeks monetary damages and an injunction requiring LinkedIn to change its data-collection practices.
"This system can identify a user's religion, their political views, whether they have a disability, and whether they are secretly looking for work," said J.R. Howell, the Santa Monica attorney leading the case. "LinkedIn knows every user's real name and employer. This is not abstract data collection. These are identified people being profiled without their knowledge."
Howell told Ars Technica that LinkedIn's public response does not meaningfully rebut the core allegation. "The key question isn't whether LinkedIn says it was addressing terms-of-service abuse," he said. "The question is whether users were ever clearly and meaningfully informed that LinkedIn would covertly inspect their browsers for installed extensions, pull session-linked data, and share that data with undisclosed third parties whose uses might go beyond a single compliance check."
A second class action, Farrell v. LinkedIn, was filed separately in the same court and raises comparable allegations. Both suits seek injunctions requiring the company to alter its data-collection and disclosure practices.
The Scanning System: 6,278 Silent Probes on Every Page Load
The technical mechanism was documented in March 2026 by Fairlinked e.V., a Germany-registered nonprofit representing commercial LinkedIn users, and independently confirmed by BleepingComputer through its own live testing. Researcher Seth Honda published a parallel analysis at 404Privacy.com on April 6, 2026.
LinkedIn injects a 2.7-megabyte JavaScript bundle into every page served to Chrome visitors. Inside that file is a hardcoded list of browser extension IDs. For each entry, the script fires a request to a local chrome-extension:// URL; a successful response confirms the extension is installed. The results are encrypted using an RSA key the code labels "apfcDfPK" and transmitted to LinkedIn's servers, where they are appended to every subsequent API request during the session. The code runs during CPU idle time — a technique that reduces the chance a user will notice the activity.
The scale of the operation has grown dramatically. LinkedIn scanned for 38 extensions in 2017, approximately 461 by 2024, and more than 6,000 by February 2026 — a 1,252 percent increase in two years. A sworn affidavit from a LinkedIn Senior Engineering Manager, filed in German court proceedings, confirmed that the platform "invested in extension detection mechanisms."
Beyond extensions, the same script collects 48 distinct device characteristics — CPU core count, available memory, screen resolution, timezone, battery status, audio hardware signatures, and canvas fingerprints — forming a device profile precise enough to persist across cookie resets and potentially across devices. The full extension database is searchable at browsergate.eu/extensions.
What the Extensions Reveal: Religion, Job-Seeking, Disability
Browser extensions are not neutral software inventory. The Fairlinked investigation found that LinkedIn's scan list covers 509 job-search tools used by a combined 1.4 million people — capturing who is quietly seeking new employment, even while logged into a profile that their current employer can view. The list also includes extensions used by practicing Muslims and other faith communities, tools built for neurodivergent users, political content readers, accessibility software that can indicate disabilities, and more than 200 direct competitors to LinkedIn's own paid products — including Apollo (600,000 users), Lusha (300,000 users), and ZoomInfo.
Under EU law, data that allows inference of religious beliefs, political opinions, health conditions, or trade union membership is classified as "special category" data under GDPR Article 9 — prohibited from processing without explicit consent. LinkedIn's privacy policy contains no mention of extension scanning. The data also travels beyond LinkedIn's servers: the Fairlinked investigation identified a hidden zero-by-zero-pixel iframe loaded from HUMAN Security (formerly PerimeterX) through which fingerprinting data is transmitted. LinkedIn denies using that data for profiling.
Because LinkedIn's profiles are verified against real names, employers, and job titles, the extension inventory is not associated with an anonymous device identifier. It is attached to a specific, identifiable person — making the combination qualitatively more invasive than conventional browser fingerprinting used by advertising networks.
LinkedIn's Defense: Anti-Fraud Tool — and Why Critics Reject It
LinkedIn acknowledges the scanning. In a statement to BleepingComputer, a spokesperson said: "To protect the privacy of our members, their data, and to ensure site stability, we do look for extensions that scrape data without members' consent or otherwise violate LinkedIn's Terms of Service." The company added that it does not use the data to "infer sensitive information about members."
LinkedIn also challenged the credibility of the Fairlinked investigation, noting the organization's connection to Teamfluence Signal Systems OÜ, an Estonian company whose account LinkedIn restricted for alleged scraping violations. In January 2026, the Regional Court of Munich denied Teamfluence's preliminary injunction against LinkedIn; both parties have appealed and the litigation continues.
Critics say the anti-fraud framing does not withstand scrutiny of the actual list. Independent analysis found entries for Amazon delivery schedulers, pharmacy operations tools, and image downloaders — software with no plausible connection to LinkedIn data scraping. SecurityWeek senior contributor Kevin Townsend, in a skeptical review of the more inflammatory claims, nonetheless confirmed the scanning's technical existence. The Ganan complaint argues LinkedIn "crossed the line" by using anti-abuse justifications as cover for a surveillance system that collected and shared private data without consent.
LinkedIn's Prior €310 Million GDPR Fine Sets the Regulatory Context
This is not the first time regulators have found LinkedIn's data practices unlawful. In October 2024, the Irish Data Protection Commission fined LinkedIn €310 million for processing member data for behavioral analysis and targeted advertising without a valid legal basis, and ordered the company into compliance. Microsoft, LinkedIn's parent since its $26.2 billion acquisition in 2016, indemnified LinkedIn against the fine, meaning it had no direct financial impact on the Irish entity.
BrowserGate lands while the European Commission is reviewing LinkedIn's compliance with the Digital Markets Act, which designated LinkedIn a regulated gatekeeper in 2023 and requires the platform to open its ecosystem to third-party tools. Fairlinked argues that LinkedIn's scan-list expansion from 461 entries in 2024 to over 6,000 by early 2026 — directly overlapping with DMA compliance obligations — represents a system built to identify and target the very third-party users the regulation was designed to protect. Fairlinked has filed complaints with the European Commission and is coordinating with U.S. counsel on the class action.
In Germany, legal analysts cited by Fairlinked have flagged Section 202a of the German Criminal Code, which covers unauthorized access to data and carries a maximum penalty of three years' imprisonment, as potentially applicable to the extension-scanning behavior.
What LinkedIn Users Can Do Right Now
Chrome, Edge, Brave, and Opera users are exposed to the scanning. Firefox users are not: Firefox's extension architecture does not expose the resource paths LinkedIn's technique depends on. Chrome users who must stay on that browser can reduce their exposure by creating a dedicated browser profile for LinkedIn with no extensions installed in that profile, or by switching to LinkedIn's mobile app, which does not run the browser-based fingerprinting scripts.
EU and EEA residents can file a GDPR Subject Access Request demanding that LinkedIn disclose all extension and device-fingerprinting data it holds — specifying records from the APFC and Spectroscopy systems — and can submit formal complaints to their national data protection authority using pre-filled templates at browsergate.eu. LinkedIn's lead EU supervisory authority is the Irish Data Protection Commission. U.S. users can register as potential class members through the Ganan lawsuit proceedings.
For the hundreds of millions of professionals who rely on LinkedIn for hiring, recruiting, and career management, the platform has been constructing a second profile of each of them — one built from software inventory, hardware signals, and behavioral data — without their knowledge. Whether regulators, the courts, or LinkedIn itself acts to change that depends in part on how many users demand to know what has already been collected.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
