LinkedIn's BrowserGate Exposes Covert Scanning of 6,000 Extensions

Every time you open LinkedIn in a Chrome-based browser, hidden code runs on your device. You were never asked. You were never told. And none of it appears in LinkedIn's privacy policy. That is the core allegation at the heart of LinkedIn BrowserGate, a detailed investigation that has sent shockwaves through the privacy and cybersecurity community and triggered legal proceedings across Europe.

The investigation was published by Fairlinked e.V., a European association of commercial LinkedIn users operating under the campaign name BrowserGate. Researchers say they reverse-engineered LinkedIn's production JavaScript to expose what they describe as one of the largest undisclosed data collection operations in the history of the commercial internet.

What LinkedIn Is Actually Doing

The mechanism is precise and deliberately invisible. Each time a LinkedIn page loads in Chrome or any Chromium-based browser, a fingerprinting script executes silently. Inside LinkedIn's production JavaScript bundle, a roughly 2.7 MB file identified as chunk.905, researchers found a hardcoded list of 6,222 Chrome extension IDs. The script probes for each one by attempting to access internal extension files. If the file loads, the extension is confirmed present. The results are encrypted and transmitted back to LinkedIn's servers.

The practice is not new. Researchers traced it back to 2017, when LinkedIn scanned for just 38 extensions. By 2024, that number had grown to around 461. By December 2025, the list had reached 5,459 entries. By February 2026, it stood at 6,167, an increase of roughly 12 extensions per day over the final two months documented.

LinkedIn has not denied the scanning. A senior LinkedIn engineer confirmed it in a sworn court affidavit filed in German proceedings, framing it as part of the platform's anti-scraping and anti-abuse infrastructure.

Why the Scale of This Matters

Anti-bot detection is a legitimate security practice. WhatFairlinked argues, and what makes LinkedIn BrowserGate legally significant, isthat the scope of LinkedIn extension scanning goes far beyond anything that justification can cover.

The scanned list includes 509 job search extensions used by a combined 1.4 million people. It includes over 200 products that compete directly with LinkedIn's own sales tools, such as Apollo, Lusha, and Zoom Info. Because LinkedIn knows each user's real name, employer, and job title, it can map which companies use which competitor products. Thus, effectively extracting the customer lists of those businesses from users' browsers without anyone'sknowledge.

The list also includes extensions indicating religious practices, political orientation, and neurodivergence. Under GDPR Article 9, this type of data — religious beliefs, political opinions, health conditions — is not merely regulated. Processing it without explicit consent is prohibited. LinkedIn holds no disclosed consent for any of it.

A Corporate Espionage Argument

The LinkedIn privacy violation allegations go further than data protection law. Fairlinked frames BrowserGate as a form of corporate espionage, and the argument is difficult to dismiss given the specifics.

LinkedIn's internal system can identify which employees at which companies use which third-party sales tools. It can detect job search activity among staff at organisations where their managers are also active on the platform. It can reveal the security posture and software stack of businesses without those businesses ever consenting to disclose it. LinkedIn has reportedly already used enforcement threats against users of third-party tools, with the data obtained through this covert browser fingerprinting usedto identify targets.

Beyond LinkedIn's own servers, the data travels further. BrowserGate researchers identified an invisible zero-pixel tracking element loaded from HUMAN Security, formerly known as PerimeterX, an American-Israeli cybersecurity firm. A separate fingerprinting script runs from LinkedIn's own servers. A third script from Google executes silently on every page load. All of it is encrypted. None of it is disclosed anywhere in LinkedIn's privacy policy.

The DMA Dimension

The timing of LinkedIn's expanding scan list is central to the legal case. The EU designated LinkedIn as a regulated gatekeeper under the Digital Markets Act in September 2023, ordering the platform to open access to third-party tools. LinkedIn responded by publishing two restricted APIs that together handle approximately 0.07 calls per second. Its internal Voyager API, which powers every LinkedIn web and mobile product, runs at 163,000 calls per second. The word "Voyager" does not appear once in Microsoft's 249-page DMA compliance report to the European Commission.

In the same period LinkedIn was required to welcome third-party tools, the extension scan list grew tenfold. The EU told LinkedIn to open up. LinkedIn appears to have built a system to identify and target every user of the tools that regulation was designed to protect.

Legal Proceedings Are Already Moving

LinkedIn BrowserGate has moved from investigation to courtroom. In January 2026, Estonian software company Teamfluence filed a preliminary injunction against LinkedIn Ireland Unlimited Company and LinkedIn Germany GmbH at the Regional Court of Munich. The case centres on alleged violations of the Digital Markets Act, EU competition law, and German data protection rules. The presiding judge previously ruled against Google in a DMA-related competition law case.

In Germany, the conduct may also cross into criminal territory under Section 202a of the German Criminal Code, which covers unauthorised access to data and carries a maximum penalty of three years in prison.

This is not LinkedIn's first serious regulatory collision in Europe. In October 2024, the Irish Data Protection Commission fined LinkedIn €310 million for processing users' personal data for behavioural analysis and targeted advertising without a valid legal basis. That decision found LinkedIn's consent mechanisms fell short of GDPR's requirement that consent be freely given, specific, and informed. The BrowserGate allegations now raise the same fundamental questions, applied to a collection practice that LinkedIn never disclosed at all.

LinkedIn's only public response to BrowserGate has been a comment posted by a "LinkedIn Help" account on Hacker News, framing the scanning as legitimate anti-scraping security.

Who Is Affected

The short answer is anyone using LinkedIn on a Chrome or Chromium-based browser. That covers the vast majority of LinkedIn's one billion-plus users. Firefox and Safari users are not exposed to the extension-scanning component, because those browsers' architectures do not permit the same Chrome extension probing method. Brave users on Chromium are currently reported to have some protection, but the broader fingerprinting behaviour is not limited to extension scanning alone.

The combined user base of the scanned extensions amounts to approximately 405 million people. LinkedIn's data collection through this system is attributed to verified, identified professionals: real names, realemployers, real job titles. This is not anonymous web tracking. It is profiling of known individuals at known organisations, assembled without their knowledge.

What Organisations Should Know

For businesses, the implications extend beyond individual privacy. Any organisation whose employees use LinkedIn on work devices should understand that LinkedIn's browser fingerprinting may be mapping the company's internal software environment, including which security tools, competitor products, and third-party platforms are in use. That information sits on LinkedIn's servers, attributed to identified employees, with no opt-out mechanism and no disclosure.

Companies that build or use third-party LinkedIn tools face additional exposure. The scan list appears designed, in part, to identify exactly those users. LinkedIn has already demonstrated a willingness to act on what it finds.

The Regulatory Road Ahead

The BrowserGate investigation arrives in a European regulatory environment that has been moving steadily toward requiring explicit disclosure of all significant data collection. A scanning operation of this scale, conducted without any mention in a privacy policy, sits uncomfortably within that framework regardless of the security justification offered.

EU regulators across multiple jurisdictions have been notified. The Irish Data Protection Commission remains LinkedIn's lead supervisory authority in the EU, and its track record suggests it is willing to pursue enforcement when the facts support it. Whether that process moves quickly enough to match the scale of LinkedIn's ongoing data collection is the open question.

For now, LinkedIn BrowserGate stands as a case study in the gap between what platforms collect and what users are told/. It's a gap that has grown wider with every line added to that extension scan list.