NextFin News - LinkedIn is deploying a sophisticated JavaScript routine that silently probes visitors’ browsers for more than 6,000 installed extensions and collects 48 distinct hardware characteristics to create a persistent device fingerprint. The practice, detailed in an investigation by Fairlinked e.V. and independently verified by BleepingComputer, involves a 2.7-megabyte bundle that executes up to 6,222 simultaneous requests to identify specific software tools. This data is then encrypted and attached to every API request a user makes during their session, effectively tracking behavior at an industrial scale without explicit disclosure in the company’s privacy policy.
The technical mechanism, which LinkedIn internally refers to as "Spectroscopy," targets Chromium-based browsers by attempting to access internal file resources unique to specific extension IDs. Beyond software detection, the script harvests granular telemetry including CPU core counts, available memory, battery status, and audio hardware configurations. While individual data points may seem benign, their combination allows for "fingerprinting"—a technique that can identify a specific device even if a user clears their cookies or uses a private browsing mode. The scale of this operation has expanded aggressively, growing from 38 tracked extensions in 2017 to over 6,100 by February 2026.
The controversy, dubbed "BrowserGate" by researchers, centers on the nature of the extensions being monitored. The list reportedly includes over 200 products that compete directly with LinkedIn’s own sales and recruitment tools, such as Apollo, Lusha, and ZoomInfo. By identifying which extensions are active, LinkedIn gains visibility into the competitive landscape of its corporate clients. Furthermore, the scan includes tools related to neurodivergent conditions and religious practices, which under the European Union’s General Data Protection Regulation (GDPR) are classified as sensitive personal data requiring heightened protection and explicit consent.
LinkedIn has pushed back against the report’s framing, characterizing it as a security necessity rather than a surveillance tool. A company spokesperson stated that the detection is used to identify extensions that scrape member data or violate terms of service, ensuring site stability and member privacy. The platform also pointed to the source of the investigation, Fairlinked e.V., noting its connection to Teamfluence Signal Systems OÜ—a firm whose own extension was restricted by LinkedIn for alleged scraping. In January 2026, a Munich court denied an injunction filed by Teamfluence against LinkedIn, suggesting that the platform’s restrictive actions did not constitute unlawful discrimination under current EU competition law.
This technical dispute arrives at a precarious moment for LinkedIn’s regulatory standing in Europe. In October 2024, the Irish Data Protection Commission fined the company €310 million for processing personal data for targeted advertising without a valid legal basis. The "BrowserGate" findings may invite further scrutiny from regulators regarding whether "Spectroscopy" constitutes a "tracking" technology that requires opt-in consent under the ePrivacy Directive. While LinkedIn maintains the script is a defensive measure against automated scraping, the breadth of the data collection—extending far beyond known malicious tools—remains a point of significant friction between the platform and privacy advocates.
Explore more exclusive insights at nextfin.ai.
