LinkedIn's BrowserGate Exposes Covert Scanning of 6,000 Extensions

Every time you open LinkedIn in a Chrome-based browserhidden code runs on your device. You were never asked. You were never told. And none of it appears in LinkedIn's privacy policy. That is the core allegation at the heart of LinkedIn BrowserGatea detailed investigation that has sent shockwaves through the privacy and cybersecurity community and triggered legal proceedings across Europe.

The investigation was published by Fairlinked e.V.a European association of commercial LinkedIn users operating under the campaign name BrowserGate. Researchers say they reverse-engineered LinkedIn's production JavaScript to expose what they describe as one of the largest undisclosed data collection operations in the history of the commercial internet.

What LinkedIn Is Actually Doing

The mechanism is precise and deliberately invisible. Each time a LinkedIn page loads in Chrome or any Chromium-based browsera fingerprinting script executes silently. Inside LinkedIn's production JavaScript bundlea roughly 2.7 MB file identified as chunk.905researchers found a hardcoded list of 6,222 Chrome extension IDs. The script probes for each one by attempting to access internal extension files. If the file loadsthe extension is confirmed present. The results are encrypted and transmitted back to LinkedIn's servers.

The practice is not new. Researchers traced it back to 2017when LinkedIn scanned for just 38 extensions. By 2024that number had grown to around 461. By December 2025the list had reached 5,459 entries. By February 2026it stood at 6,167an increase of roughly 12 extensions per day over the final two months documented.

LinkedIn has not denied the scanning. A senior LinkedIn engineer confirmed it in a sworn court affidavit filed in German proceedingsframing it as part of the platform's anti-scraping and anti-abuse infrastructure.

Why the Scale of This Matters

Anti-bot detection is a legitimate security practice. WhatFairlinked arguesand what makes LinkedIn BrowserGate legally significantisthat the scope of LinkedIn extension scanning goes far beyond anything that justification can cover.

The scanned list includes 509 job search extensions used by a combined 1.4 million people. It includes over 200 products that compete directly with LinkedIn's own sales toolssuch as ApolloLushaand Zoom Info. Because LinkedIn knows each user's real nameemployerand job titleit can map which companies use which competitor products. Thuseffectively extracting the customer lists of those businesses from users' browsers without anyone'sknowledge.

The list also includes extensions indicating religious practicespolitical orientationand neurodivergence. Under GDPR Article 9this type of data — religious beliefspolitical opinionshealth conditions — is not merely regulated. Processing it without explicit consent is prohibited. LinkedIn holds no disclosed consent for any of it.

A Corporate Espionage Argument

The LinkedIn privacy violation allegations go further than data protection law. Fairlinked frames BrowserGate as a form of corporate espionageand the argument is difficult to dismiss given the specifics.

LinkedIn's internal system can identify which employees at which companies use which third-party sales tools. It can detect job search activity among staff at organisations where their managers are also active on the platform. It can reveal the security posture and software stack of businesses without those businesses ever consenting to disclose it. LinkedIn has reportedly already used enforcement threats against users of third-party toolswith the data obtained through this covert browser fingerprinting usedto identify targets.

Beyond LinkedIn's own serversthe data travels further. BrowserGate researchers identified an invisible zero-pixel tracking element loaded from HUMAN Securityformerly known as PerimeterXan American-Israeli cybersecurity firm. A separate fingerprinting script runs from LinkedIn's own servers. A third script from Google executes silently on every page load. All of it is encrypted. None of it is disclosed anywhere in LinkedIn's privacy policy.

The DMA Dimension

The timing of LinkedIn's expanding scan list is central to the legal case. The EU designated LinkedIn as a regulated gatekeeper under the Digital Markets Act in September 2023ordering the platform to open access to third-party tools. LinkedIn responded by publishing two restricted APIs that together handle approximately 0.07 calls per second. Its internal Voyager APIwhich powers every LinkedIn web and mobile productruns at 163,000 calls per second. The word "Voyager" does not appear once in Microsoft's 249-page DMA compliance report to the European Commission.

In the same period LinkedIn was required to welcome third-party toolsthe extension scan list grew tenfold. The EU told LinkedIn to open up. LinkedIn appears to have built a system to identify and target every user of the tools that regulation was designed to protect.

Legal Proceedings Are Already Moving

LinkedIn BrowserGate has moved from investigation to courtroom. In January 2026Estonian software company Teamfluence filed a preliminary injunction against LinkedIn Ireland Unlimited Company and LinkedIn Germany GmbH at the Regional Court of Munich. The case centres on alleged violations of the Digital Markets ActEU competition lawand German data protection rules. The presiding judge previously ruled against Google in a DMA-related competition law case.

In Germanythe conduct may also cross into criminal territory under Section 202a of the German Criminal Codewhich covers unauthorised access to data and carries a maximum penalty of three years in prison.

This is not LinkedIn's first serious regulatory collision in Europe. In October 2024the Irish Data Protection Commission fined LinkedIn €310 million for processing users' personal data for behavioural analysis and targeted advertising without a valid legal basis. That decision found LinkedIn's consent mechanisms fell short of GDPR's requirement that consent be freely givenspecificand informed. The BrowserGate allegations now raise the same fundamental questionsapplied to a collection practice that LinkedIn never disclosed at all.

LinkedIn's only public response to BrowserGate has been a comment posted by a "LinkedIn Help" account on Hacker Newsframing the scanning as legitimate anti-scraping security.

Who Is Affected

The short answer is anyone using LinkedIn on a Chrome or Chromium-based browser. That covers the vast majority of LinkedIn's one billion-plus users. Firefox and Safari users are not exposed to the extension-scanning componentbecause those browsers' architectures do not permit the same Chrome extension probing method. Brave users on Chromium are currently reported to have some protectionbut the broader fingerprinting behaviour is not limited to extension scanning alone.

The combined user base of the scanned extensions amounts to approximately 405 million people. LinkedIn's data collection through this system is attributed to verifiedidentified professionals: real namesrealemployersreal job titles. This is not anonymous web tracking. It is profiling of known individuals at known organisationsassembled without their knowledge.

What Organisations Should Know

For businessesthe implications extend beyond individual privacy. Any organisation whose employees use LinkedIn on work devices should understand that LinkedIn's browser fingerprinting may be mapping the company's internal software environmentincluding which security toolscompetitor productsand third-party platforms are in use. That information sits on LinkedIn's serversattributed to identified employeeswith no opt-out mechanism and no disclosure.

Companies that build or use third-party LinkedIn tools face additional exposure. The scan list appears designedin partto identify exactly those users. LinkedIn has already demonstrated a willingness to act on what it finds.

The Regulatory Road Ahead

The BrowserGate investigation arrives in a European regulatory environment that has been moving steadily toward requiring explicit disclosure of all significant data collection. A scanning operation of this scaleconducted without any mention in a privacy policysits uncomfortably within that framework regardless of the security justification offered.

EU regulators across multiple jurisdictions have been notified. The Irish Data Protection Commission remains LinkedIn's lead supervisory authority in the EUand its track record suggests it is willing to pursue enforcement when the facts support it. Whether that process moves quickly enough to match the scale of LinkedIn's ongoing data collection is the open question.

For nowLinkedIn BrowserGate stands as a case study in the gap between what platforms collect and what users are told/. It's a gap that has grown wider with every line added to that extension scan list.