TL;DR
Every time you visit LinkedIn, hidden JavaScript quietly scans your browser for over 6,200 specific extensions. It isn’t asking permission. It isn’t telling you. And based on what extensions you have installed, it can figure out your religion, your politics, your health conditions, and whether you’re secretly looking for a new job all while you’re just checking your notifications.
This is what the commercial user association Fairlinked e.V. is calling “BrowserGate.” Their investigation found that Microsoft, through LinkedIn, is running what amounts to a large-scale surveillance operation against its own users. We’re talking over a billion accounts. The data being extracted falls squarely into what the GDPR calls “Special Category” the type regulators explicitly prohibit collecting without explicit consent. LinkedIn isn’t just brushing up against the law here; it appears to be breaking it outright, across multiple jurisdictions, simultaneously.
How Did We Get Here?
There’s a particular kind of scandal that takes a while to feel real. The breach itself isn’t dramatic, no single day when servers went dark or passwords were posted on a hacker forum. Instead, this has been a slow accumulation of code, running silently in the background, while over a billion people logged in to find jobs, network, and post about their professional achievements.
The Cambridge Analytica story broke that way too. The data wasn’t stolen in some cinematic heist; it was quietly harvested through an interface that most users would never see. BrowserGate follows the same pattern, except the scale is larger and the legal exposure may be worse.
What LinkedIn Is Actually Doing
When you load a LinkedIn page, a JavaScript program embedded in the page runs a scan. This isn’t a cookie or a tracking pixel as those are passive. This is active. It probes your browser’s local environment to identify what extensions you have installed.
You’re never asked. There’s no consent screen. LinkedIn’s privacy policy doesn’t mention it.
What makes this especially invasive isn’t just the scanning. It’s that LinkedIn knows exactly who it’s scanning. You’re logged in. That means every result gets tied to your real name, your employer, your job title, and your location. LinkedIn isn’t running anonymous analytics. It’s building a detailed map of specific, identified individuals at specific companies, every day, at enormous scale.
The Three-Layer Detection System
The technical architecture here is worth understanding, because it shows how much engineering effort went into not being detected.
The system, internally referred to as APFC (Anti-fraud Platform Features Collection) or DNA (Device Network Analysis) uses three methods in sequence, each designed to catch what the previous one missed.
Layer one is direct detection. LinkedIn’s code uses the browser’s fetch() API to request known files from specific extension URLs, things like manifest.json or logo.svg. If the request succeeds, LinkedIn logs that extension as present.
Layer two kicks in when an extension has blocked direct requests. LinkedIn then probes for specific web-accessible resources that the extension developer might have left exposed, essentially trying a side door after the front door is locked.
Layer three is the one that’s hardest to block. LinkedIn calls it “Spectroscopy.” It walks the entire DOM tree of the webpage looking for any element, script, or attribute that an extension has injected. A VPN that modifies even one pixel of the page leaves a fingerprint. Spectroscopy finds it, extracts the extension’s 32-character ID, and sends it back to LinkedIn’s servers.
The results from all three layers are encrypted and bundled into a payload sent to https://www.linkedin.com/li/track. And this doesn’t happen once per session – the data goes out with nearly every API call the user makes while browsing the platform.
What the 6,222 Extensions Actually Reveal
The list of extensions LinkedIn scans for has grown from 38 in 2017 to over 6,100 by early 2026. That’s not organic growth. The acceleration correlates directly with the EU’s Digital Markets Act coming into force. More on that shortly.
So what’s on the list?
Competitor intelligence. Over 200 extensions in the scan list compete directly with LinkedIn’s Sales Navigator tool, which generates roughly $1 billion a year in revenue. The targets include Apollo, Lusha, ZoomInfo, and Kaspr. By identifying which companies use these tools, LinkedIn can map the customer bases of its direct competitors. That’s not a side effect of the scanning – it’s arguably the core use case.
Job search monitoring. 509 job search extensions are on the list. If you’re quietly exploring other opportunities while employed, LinkedIn can detect that. Your current employer is probably also on LinkedIn. The conflict of interest here is obvious and the consequences could be serious.
Religious profiling. GDPR Article 9 flatly prohibits processing data that reveals religious beliefs without explicit consent. LinkedIn scans for extensions like PordaAI, an Islamic values filter, and Deen Shield, a tool that blocks sites deemed contrary to Islamic practice. Detecting these amounts to religious profiling.
Political profiling. The list also includes politically oriented extensions, anti-woke content filters, an “Anti-Zionist Tag” tool, and “No more Musk,” among others. Political beliefs are also Special Category data under GDPR.
Health and disability data. Extensions designed for neurodivergent users including “Simplify,” which is marketed specifically for users who find standard interfaces difficult appear on the list. Knowing someone uses that tool is effectively knowing something about their neurological condition.
The Legal Picture
Multiple legal experts consulted by Fairlinked e.V. believe LinkedIn isn’t just facing fines. It may be facing criminal liability in at least two countries.
Under GDPR Article 9, collecting data that reveals religion, politics, health status, or trade union membership is prohibited by default. There are narrow exemptions, explicit consent being the main one but LinkedIn has no consent mechanism for any of this. Users have no idea the scanning is happening.
The ePrivacy Directive, sometimes called the “cookie law,” requires explicit consent before accessing any information stored on a user’s device. Every fetch request to a local extension is an unauthorized access, by the letter of that law.
German criminal law (§ 202a StGB) classifies unauthorized data access as a criminal offense carrying up to three years in prison. By bypassing the security mechanisms extension developers set up – specifically the externally_connectable restrictions. LinkedIn’s code meets the legal definition of “data espionage” under German courts’ interpretation.
In the UK, Section 1 of the Computer Misuse Act 1990 criminalizes unauthorized access to computer material. Probing a browser for installed software without the user’s knowledge fits that definition.
The DMA Compliance Fraud
In 2023, the EU designated LinkedIn a “Gatekeeper” under the Digital Markets Act, which meant it had to open its platform to third-party tools. LinkedIn responded by providing two restricted, low-capacity APIs to regulators, the kind of thing that looks like compliance from a distance.
Meanwhile, internally, LinkedIn kept using its high-speed “Voyager” API. And while it was telling the European Commission it was opening up, it expanded its extension surveillance list from 461 extensions to over 6,000.
The timeline is hard to read any other way: the DMA required LinkedIn to tolerate competing tools, and LinkedIn responded by building a system to identify every user who was using one.
The National Security Problem
This isn’t purely a consumer privacy issue. If a defense analyst at a European ministry has a specific security extension or VPN installed, LinkedIn now knows about it and so, by extension, does Microsoft, a US-based company subject to US law and US government requests.
The regulators investigating LinkedIn in Brussels are themselves on LinkedIn. Every time they check their notifications, they’re potentially feeding data into the system they’re supposed to be auditing.
And at the corporate level, LinkedIn has effectively built a continuously updated map of the internal software environments of most major companies on earth.
The Evidence
Three pieces of evidence underpin the BrowserGate claims.
First, LinkedIn’s own code. A 2.7MB JavaScript bundle module 75023, served to every Chrome user contains the hardcoded list of 6,222 extension IDs along with the detection logic.
Second, an affidavit. In a sworn statement to a German court, LinkedIn’s Senior Engineering Manager acknowledged that LinkedIn “invested in extension detection mechanisms.”
Third, a cryptographic timestamp. The code has been hashed and timestamped by independent authorities in Germany, establishing that it was active and in use as of February 2026.
What You Can Actually Do
The scanning targets Chromium-based browsers: Chrome, Edge, and Brave. Switching to Firefox meaningfully reduces exposure, since the scan is built around Chrome’s extension architecture.
Beyond that, the picture is murky. Extensions with “web-accessible resources” are detectable. Tools designed to mask extension IDs exist, but LinkedIn’s Spectroscopy layer was specifically built to get around many of them.
Being logged out of LinkedIn while browsing obviously prevents the data from being tied to your identity, though it doesn’t stop the scan from running.
What Comes Next
Microsoft has a legal budget that most national regulators can’t match. That’s not cynicism, it’s just the reality of how these enforcement processes tend to go. Fines under GDPR have historically been a fraction of what they could theoretically be, and companies with the resources to litigate tend to drag cases out for years.
What’s different here is the criminal angle. Civil fines get absorbed as a cost of doing business. Criminal liability lands differently, especially in Germany, which has shown more appetite than most EU countries for pursuing these cases aggressively.
Whether any regulator moves fast enough to matter is an open question. The code is running right now.
FAQ
Is LinkedIn searching my computer? They’re scanning your browser’s installed extension list using hidden JavaScript that runs every time you load a LinkedIn page. “Searching your computer” is close enough to accurate for most purposes.
What data does this reveal? Your extension list can expose your religious practices, political views, health conditions, job-seeking behavior, and which of LinkedIn’s competitors’ tools you use.
Is any of this legal under GDPR? Based on the analysis from Fairlinked e.V. and independent legal experts: no. GDPR Article 9 prohibits processing data that reveals religion, politics, or health without explicit consent. LinkedIn has no such consent.
Why is LinkedIn doing this? The evidence points to two main reasons: corporate intelligence (mapping competitors’ customer bases) and identifying users who are using tools that compete with LinkedIn’s paid products, particularly Sales Navigator.
Can I verify this myself? Yes. Open Chrome DevTools (F12) on LinkedIn, go to the Network tab, and look for the large JavaScript bundle labeled chunk.905. Search the code for “chrome-extension://” and the logic is there.
Does this affect users outside the EU? The scanning code runs globally for all Chromium browser users. The legal protections are strongest in the EU and California, but the data collection itself isn’t limited to those regions.
This report is based on findings documented by Fairlinked e.V. and technical analysis of LinkedIn’s public-facing code. It is intended for informational purposes.
