In brief: Every time you visit LinkedIn in a Chrome-based browser, a hidden JavaScript routine silently scans your browser for more than 6,000 installed extensions, collects 48 hardware and software characteristics of your device, encrypts the resulting fingerprint, and attaches it to every API request you make during your session. The practice, dubbed “BrowserGate” by researchers, is not disclosed in LinkedIn’s privacy policy. LinkedIn says it’s a security measure; Critics say it is covert surveillance of the browsing behavior of one billion users on an industrial scale.
There is a routine that runs on your computer every time you open LinkedIn. You cannot see it, you were not informed about it, and it is not described in the company’s privacy policy. According to research published in early April 2026 by Fairlinked eV, a European association of LinkedIn business users, the platform injects a 2.7-megabyte JavaScript packet into its website that silently scans visitors’ browsers for the presence of more than 6,000 specific Chrome extensions, gathers a detailed fingerprint of their hardware, encrypts it, and transmits the result to LinkedIn’s servers, where it is attached to each subsequent action taken during the session.
The investigation, independently confirmed by BleepingComputerwhich verified the scanning behavior through its own tests, has been named “BrowserGate”. LinkedIn disputes many of the report’s characterizations. The technical facts are not in dispute.
What the script does
LinkedIn calls its scanning system “spectroscopy.” When a user loads the LinkedIn website, the script fires up to 6,222 simultaneous requests, each of which looks for a specific browser extension when trying to access files associated with that extension’s ID. The presence or absence of a file in the response indicates whether the extension is installed. The entire operation runs silently in the background, with no visible prompts or notifications of any kind.
The š of EU technology
The latest rumors from the EU tech scene, a story from our wise founder Boris and some questionable AI art. It’s free, every week, in your inbox. Register now!
Beyond the extensions, the script collects 48 different characteristics of the user’s device: CPU core count, available memory, screen resolution, time zone, language settings, battery status, audio hardware information, and storage capacity, among others. Individually, these attributes are nothing special. Combined, they form a device fingerprint specific enough to identify a user even after cookies are cleared.
Once compiled, the data is serialized to JSON and encrypted using an RSA public key; the internal LinkedIn identifier for the key is “apfcDfPK”, before it is transmitted to telemetry endpoints, including li/track and /platform-telemetry/li/apfcDf. The fingerprint is then permanently injected as an HTTP header into every API request made during the session, meaning LinkedIn receives it with every search, every profile view, every message sent.
What are you looking for?
The question of which extensions LinkedIn looks for makes surveillance more sensitive than simple fraud detection would require. According to BrowserGate’s report, LinkedIn’s list includes more than 200 products that directly compete with its own sales tools, including Apollo, Lusha, and ZoomInfo. Because LinkedIn knows the employer of each registered user, systematically searching for the presence of a competing tool gives the platform visibility into which companies are evaluating or implementing rival products.
The list also reportedly includes tools associated with neurodivergent conditions, religious practices, political interests, and job search activities ā categories that, in the European Union, qualify as sensitive personal data subject to increased protection under the General Data Protection Regulation. Knowing that a user is running a job search extension, for example, is a significant inference about their employment intentions, drawn without consent.
The scale of the operation has grown substantially over time. LinkedIn began searching for 38 specific extensions in 2017. By 2024, that number had increased to 461. By February 2026, the list had reached 6,167, an increase of 1,252% in two years. BleepingComputer testing confirmed that the scan was active in early April 2026.
LinkedIn’s defense and the source of the report
LinkedIn’s response to BleepingComputer was direct. āThe claims made on the website linked here are completely wrong.“said a spokesperson.”The person behind them is subject to an account restriction for scraping and other violations of LinkedIn’s Terms of Service. To protect our members’ privacy, their data, and ensure site stability, we look for extensions that scrape data without members’ consent or otherwise violate LinkedIn’s Terms of Service..ā The company added that it does not use the data to āinfer confidential information about members.“
The platform’s characterization of the source is important. Fairlinked eV is connected to Teamfluence Signal Systems OĆ, an Estonian company whose CEOs include Steven Morell and Jan Liebling. Teamfluence creates a Chrome extension, also called Teamfluence, that LinkedIn restricted for alleged terms of service violations. The company subsequently filed an injunction against LinkedIn Ireland Unlimited Company and LinkedIn Germany GmbH at the Munich Regional Court, alleging violations of the Digital Markets Act, EU competition law and German data protection rules. In January 2026, the Munich court denied the injunction, finding that LinkedIn’s actions did not constitute unlawful obstruction or discrimination.
The financial dispute between the parties does not change the technical conclusions, which were independently verified. What it does mean is that the framework of those findings is questioned, and readers must weigh both the substance of the claim and its provenance.
The regulatory context
This is not LinkedIn’s first serious brush with data protection law enforcement in Europe. In October 2024, the Irish Data Protection Commission, which regulates LinkedIn in the EU through its Irish subsidiary, fined the company ā¬310 million, approximately $334 million, for processing users’ personal data for targeted advertising without a valid legal basis. The decision found that LinkedIn’s consent mechanisms did not meet the GDPR’s requirement that consent be “freely given.ā LinkedIn was ordered to comply with its data processing.
The BrowserGate investigation falls into that context. The legal question of whether scanning for 6,000 browser extensions constitutes special category processing of personal data, and whether users’ lack of knowledge of the practice invalidates any implied consent, is exactly the sort of question the Irish Data Protection Commission has already shown it is willing to address in court. The evolving digital regulatory framework in Europe has been steadily moving toward requiring explicit disclosure of all relevant data collection, and a scanning operation of this scale, conducted without any mention in a privacy policy, seems difficult to square with that direction of travel.
LinkedIn is a subsidiary of Microsoft, acquired in 2016 for $26.2 billion. Microsoft has been aggressively expanding its AI capabilities in 2026with LinkedIn’s vast set of professional identity and work history data forming an important part of the data infrastructure on which those capabilities rest. The relationship between LinkedIn’s data collection practices and Microsoft’s broader AI ambitions is also not addressed in LinkedIn’s privacy policy.
What this means for users
LinkedIn has more than one billion registered users. Most access the platform through Chrome-based browsers, meaning spectroscopy scanning is routinely run on the devices of a significant fraction of the global professional workforce, collecting a digital fingerprint that is accurate enough to persist across cookie resets and potentially across devices.
Unless using a non-Chromium browser like Firefox, which would limit but not necessarily eliminate LinkedIn’s fingerprinting capabilities, there is no user-facing setting that prevents scanning. The platform does not offer an opt-out option because it does not disclose the practice in the first place. The 2026 push for governed and transparent data and AI practices It is based precisely on the premise that invisible data collection of this type should not be the default option.
It remains to be seen whether regulators act quickly enough to change that default to LinkedIn scale. Security companies are increasingly built to detect exactly this type of covert data collection. They are becoming a growth sector in their own right, a market indicator that the gap between what platforms collect and what users understand remains very wide. The year 2025 normalized AI-powered data collection at a pace that regulation has not yet matched. BrowserGate is a case study in what that delay looks like from inside a browser.
