Every time you open LinkedIn in Chrome, Edge, Brave, or any other Chromium-based browser, hidden JavaScript embedded in the page quietly scans your installed browser extensions, encrypts the findings, and ships them to LinkedIn's servers and at least two third-party companies. You are never asked. You are never told. LinkedIn's privacy policy does not mention it anywhere.
That is the central allegation of "BrowserGate," a detailed investigation published by Fairlinked e.V., a European association of commercial LinkedIn users, at browsergate.eu. Researchers claim to have reverse-engineered LinkedIn's production JavaScript bundle and documented the scanning system with line-by-line code references — and they say what they found goes well beyond anti-scraping defenses.
As of April 2026, LinkedIn and Microsoft have not issued any formal public response to the allegations. The only statement on record is a comment posted by a "LinkedinHelp" account on Hacker News, where the story broke publicly this week.
What the Code Actually Does
Inside LinkedIn's production JavaScript bundle — a roughly 2.7 MB Webpack package identified as chunk.905, module 75023 — researchers found a hardcoded array of extension entries, each pairing a Chrome extension ID with a specific internal file path. As of December 2025, the array contained 5,459 entries. By February 2026, it had grown to 6,167, with LinkedIn adding roughly 12 new extensions per day.
The detection system has three distinct stages. The primary method, called AED (Active Extension Detection), fires fetch() requests against known internal files inside each extension using Chrome's chrome-extension:// URL scheme. When an extension is installed and exposes web-accessible resources, the fetch succeeds — confirming the extension is present. LinkedIn fires all of them simultaneously using Promise.allSettled(), or in a slower staggered mode specifically designed to reduce visibility in developer tools and lower CPU impact.
A second passive system called Spectroscopy walks the entire DOM tree, inspecting every text node and attribute for chrome-extension:// strings — a net that catches extensions modifying the page, even if they're not on LinkedIn's hardcoded list. Together, the two methods cover both passive and active extensions. The scan can also be deferred to requestIdleCallback, which runs the code only when the browser is idle, meaning the user sees no performance impact and no visible trace.
The results don't just get sent once. The fingerprint payload is encrypted using an RSA public key before transmission, then injected as an HTTP header into every subsequent API request made during the user's session — meaning LinkedIn receives the fingerprint with every action you take.
LinkedIn's official Hacker News response framed the practice as targeting extensions that scrape data in violation of its Terms of Service. But the evidence does not support that narrow characterization. Hacker News commenter migueldeicaza spent two minutes searching the full extension list at browsergate and found Amazon image downloaders, Rufus conversation extractors, Amazon delivery schedulers, product scanners, and pharmacy operations tools — none of which have any obvious connection to LinkedIn data scraping.
The investigation found that the scan list includes 509 job search extensions used by a combined 1.4 million people, over 200 sales and recruiting tools that compete directly with LinkedIn's own Sales Navigator product — including Apollo (600,000 users), Lusha (300,000 users), and ZoomInfo — and extensions that signal religious practices, political views, and neurodivergence.
Because LinkedIn ties all of this to a verified professional identity with an employer and job title attached, detecting any one of these is not anonymous data collection — it is identifying a specific named person's private beliefs or health status.
One detail in the code that researchers singled out: LinkedIn records users' "Do Not Track" browser preference as part of its 48-point fingerprinting profile, then explicitly excludes it from the fingerprint hash. They record that you asked not to be tracked. Then they track you anyway.
The Extension Count Dispute
There is one area of legitimate factual dispute worth flagging. Fairlinked puts the scan list at over 6,000 entries. Independent analysis, including a Chrome extension tool built from the publicly available GitHub repository of extracted IDs, puts the actively confirmed count closer to 2,953. The discrepancy likely reflects the difference between all entries in the hardcoded array and those whose probe targets could be verified as still active. Either number represents an enormous scope — and the list is growing regardless.
Third-Party Data Sharing
The data collected doesn't stay only with LinkedIn. The APFC fingerprinting system feeds data to HUMAN Security (formerly PerimeterX), an American-Israeli cybersecurity firm, via a hidden iframe loaded from li.protechts.net that is 0 by 0 pixels in size, positioned off-screen, and marked aria-hidden="true".
A separate fingerprinting script loads from LinkedIn's own merchantpool1.linkedin.com. A third Google reCAPTCHA v3 Enterprise script runs on every page load. All of it is encrypted. None of it is disclosed. Firefox blocks this class of extension probing by design.
The DMA Angle Is Arguably Worse Than the Privacy Angle
The timing of the scan list's growth points to something more deliberate than fraud prevention. In 2023, the EU designated LinkedIn as a regulated gatekeeper under the Digital Markets Act and ordered it to open its platform to third-party tools.
LinkedIn published two restricted APIs and presented them to the European Commission as compliance. Together, those APIs handle approximately 0.07 calls per second. Meanwhile, LinkedIn's internal Voyager API powers every LinkedIn web and mobile product at 163,000 calls per second. In Microsoft's 249-page DMA compliance report, the word "API" appears 533 times. "Voyager" appears zero times.
At the same time, the scan list exploded — from roughly 461 extensions in 2024 to over 6,000 by February 2026. The EU told LinkedIn to let third-party tools in; LinkedIn appears to have responded by building a system to identify and target every user of those tools.
The Legal Exposure
Under GDPR Article 9, data that reveals religious beliefs, political opinions, or health conditions isn't merely regulated — it is prohibited from being processed without explicit consent. Fairlinked argues LinkedIn has no such consent, no valid exemption, and no disclosure.
The Court of Justice of the EU has confirmed, in cases including Meta Platforms v. Bundeskartellamt (July 2023) and Lindenapotheke (October 2024), that even indirect data — browsing patterns, app usage, and purchase history qualify as special category data when they allow inference of protected characteristics.
With Microsoft's fiscal year 2025 revenue at $281.72 billion, a maximum GDPR Article 9 fine at 4% of global turnover would reach approximately $11.27 billion.
Legal action has already started. In January 2026, Estonian software company Teamfluence filed a preliminary injunction against LinkedIn Ireland Unlimited Company and LinkedIn Germany GmbH at the Regional Court of Munich, alleging violations of the Digital Markets Act, EU competition law, and German data protection rules. The case is presided over by Dr. Michaela Althaus, the same judge who previously ruled against Google in a competition law injunction proceeding.
In Germany, the conduct may also cross into criminal territory under § 202a StGB (unauthorized data access), which carries a maximum penalty of three years in prison and which Germany's Federal Court of Justice has confirmed applies even to security measures that are quickly circumvented.
A Legitimate Counterpoint
Some Hacker News commenters pushed back on the more alarmist framing, arguing that extension probing through chrome-extension:// fetch requests is a product of a Chrome API limitation — there's no getAllExtensions() call available — rather than inherently sinister intent, and that checking for specific extensions is a known component of modern browser fingerprinting more broadly. Hacker News Document five of the BrowserGate evidence pack, an independent analysis, also noted that "installed software" is a hyperbolic way to describe browser extensions, though it acknowledged the practice is invasive — especially given that LinkedIn knows the real identity of every logged-in user, turning what would be anonymous fingerprinting into identified surveillance.
LinkedIn's position — that it only scans to detect scraper extensions — is not implausible on its face. But the contents of the scan list make it very hard to square with that justification alone.
What You Can Do Right Now
Switching to Firefox is the most effective mitigation — Firefox blocks this class of extension probing by default. Brave also blocks the key tracking endpoints as of its current release. If you're locked into a Chromium browser for work, browsing LinkedIn in a dedicated profile with no extensions installed prevents the scan from surfacing anything meaningful.
A Chrome extension called "Extension Scanner — BrowserGate" has been published to the Chrome Web Store, letting you instantly check which of your installed extensions appear on LinkedIn's scan list. The full 6,222-entry database is searchable at browsergate.eu/extensions.
EU residents can file a complaint with their national data protection authority using pre-filled templates available through the BrowserGate site. The Irish DPC is LinkedIn's lead EU supervisory authority, but complaints can be filed in any member state. In Germany, a criminal complaint under § 202a can be filed directly with the Staatsanwaltschaft.