Why Is LinkedIn Scanning My Browser?
Let’s take a closer look at ‘Browsergate’: is LinkedIn really running the biggest corporate espionage initiative in modern history?
The gatekeeper shall provide business users and third parties authorised by a business user, at their request, free of charge, with effective, high-quality, continuous and real-time access to, and use of, aggregated and non-aggregated data, including personal data, that is provided for or generated in the context of the use of the relevant core platform services.
Digital Markets Act, Article 6(10), in force March 2024
In early April 2026, a European advocacy group called Fairlinked e.V. published a technical report titled BrowserGate. The headline claim was loud: LinkedIn was running, in their words, “one of the largest corporate espionage operations in modern history“. The report alleged that LinkedIn injects hidden JavaScript into every page load, silently scans visitors’ browsers for thousands of installed extensions, fingerprints their devices, and ties the result to their identifiable profile.
BleepingComputer ran independent tests and confirmed the technical behaviour. Tom’s Hardware, The Next Web, TechRadar and others picked it up. LinkedIn responded by calling the report “a smear campaign run by a developer who’d lost a court case in Germany”.
Most coverage split predictably between those two framings: privacy outrage, or routine security misrepresented. Both miss, in my opinion, the more interesting story, which only becomes visible when you stop arguing about whether LinkedIn is doing something wrong and start asking what the system was actually built to do.
I. What LinkedIn Is Actually Doing
Every time you load LinkedIn in Chrome or any Chromium-based browser, a 2.7-megabyte JavaScript bundle executes in the background. It probes your browser for 6,236 specific extensions by attempting to load files associated with each extension’s ID. If the file resolves, the extension is confirmed installed. The result is bundled with 48 device data points (CPU cores, available memory, screen resolution, timezone, language, battery status, audio characteristics, storage capacity), encrypted with RSA, and transmitted to LinkedIn’s telemetry endpoints. The fingerprint is then attached to every API request during the session.
The script isn’t new. Researchers traced earlier versions back to 2017, when the list contained 38 extensions. By 2024 it had grown to roughly 461. By December 2025, 5,459. By February 2026, 6,167. As of mid-April, BleepingComputer counted exactly 6,236.
(Check out the full list of scanned extensions)
LinkedIn hasn’t denied any of this. A company spokesperson confirmed the practice to BleepingComputer directly: “To protect the privacy of our members, their data, and to ensure site stability, we do look for extensions that scrape data without members’ consent or otherwise violate LinkedIn’s Terms of Service.”
The technical facts are settled. The only dispute is what they mean.
II. The Case for LinkedIn
Before we dismiss the security explanation, let’s give it the weight it deserves. It isn’t implausible.
LinkedIn operates at a scale where automated scraping is a genuine engineering problem. Detecting which extensions are responsible for unusual data requests is a legitimate response. The technique itself, probing for known extension file paths, is documented industry practice.
In May 2020, eBay was discovered running JavaScript port scans on visitors’ devices to detect remote access tools associated with account takeover fraud. The same fingerprinting infrastructure, run by the LexisNexis subsidiary ThreatMetrix, later turned up on sites operated by Citibank, TD Bank, Equifax IQ, and others. LinkedIn isn’t doing something the rest of the industry hasn’t done.
The messenger also matters. Fairlinked e.V. was founded by the developer of Teamfluence, a Chrome extension LinkedIn banned for automated data collection. That developer filed a preliminary injunction against LinkedIn in Munich and lost. According to LinkedIn’s official statement to BleepingComputer, the German court found that the developer’s own data practices ran afoul of the law, and that BrowserGate is an attempt to re-litigate that loss in the press.
The most useful technical pushback came from SecurityWeek. Tyler Reguly, associate director of security R&D at Fortra, sampled 10% of the 6,236 extensions and found many of them were genuinely terrible: tab hijackers, homepage rewriters, persistent popups, even one that Rickrolled him every time he opened his browser. His conclusion: “I think that administrators and security folks should be celebrating this revelation. They now have a list of Extension IDs that they should block at their organization.” On the more sensationalist BrowserGate framing, he called it “a giant nothingburger.”
So the security story is coherent. LinkedIn has real reasons to detect rogue extensions. The technique isn’t unprecedented. The source has obvious incentives.
A reasonable person could read all of that and conclude this is fraud prevention dressed up as scandal.
That reasonable person should now look at the list.
III. The Problem With 6,236
Fraud prevention doesn’t require knowing which sales intelligence tool a company’s SDRs are running.
The BrowserGate report identifies over 200 extensions on the scan list that compete directly with LinkedIn’s own products: Apollo, Lusha, ZoomInfo, Cognism, and others that go head-to-head with LinkedIn Sales Navigator. Because LinkedIn ties every page load to a named user (with employer, job title, seniority, and tenure attached), the presence of a competitor tool on a given device isn’t just a data point about an individual. Aggregated across an organisation’s employees, it becomes a picture of that organisation’s sales stack: which tools they’re evaluating, which they’ve deployed at scale, who they’re likely to renew with.
That’s a different category of knowledge from “this account is scraping data.” That’s commercial intelligence on the customer base of every direct competitor.
The list also includes 509 job-search extensions used by a combined 1.4 million people. Their detection on a professional networking platform reveals something sensitive: that user is actively job-hunting on the platform where their current employer can see their profile. Combined with LinkedIn’s reported scanning of tools associated with neurodivergent users, religious practice, and political orientation, this drops into a category that EU data protection law treats as the highest sensitivity tier.
That distinction matters because of recent precedent. In October 2024, the Irish Data Protection Commission fined LinkedIn €310 million for processing personal data for behavioural analysis and targeted advertising without a valid legal basis under the GDPR. That ruling, originating from a 2018 complaint by the French nonprofit La Quadrature du Net, established that LinkedIn’s existing consent mechanisms didn’t meet the GDPR standard of “freely given.” The BrowserGate scan, which isn’t disclosed in LinkedIn’s privacy policy, drops into that same precedent.
LinkedIn responded that it does not use the data to “infer sensitive information about members.” That’s an assertion about intent. The list itself is an assertion about capability.
IV. The DMA Timing
Here’s where the security framing becomes hard to sustain.
In September 2023, the European Commission designated LinkedIn as a gatekeeper under the Digital Markets Act. The compliance deadline was 6 March 2024. The DMA’s central data-access requirement, Article 6(10), is direct: gatekeepers must give business users free, real-time access to the data generated through their use of the platform. The regulation was specifically designed to protect the ecosystem of third-party tools that depend on platform data.
LinkedIn’s public response was to publish two APIs that independent developers and competitors described as inadequate. Behind the scenes, LinkedIn continued banning third-party tools, suspending accounts, and litigating against developers building on the platform it had been required to open.
And the extension scan list grew tenfold.
In 2024, when the DMA designation took effect, LinkedIn was scanning for around 461 extensions. Two years later, the list is at 6,236. At its peak growth rate, LinkedIn was adding roughly 12 entries per day.
Correlation isn’t proof of mechanism, but the direction of travel is hard to read past: the EU told LinkedIn to make room for the tools its users depend on. In the same window, LinkedIn built a system that can identify, at scale and per session, every user running those exact tools.
If you wanted to design a system that complies with the letter of a regulation while undermining its intent, you would want to know which companies use the tools the regulation was built to protect. You would want to know that before they exercised their DMA rights. The scan list provides exactly that visibility.
V. What It Means for Your Stack
For most professionals, this is abstract until it isn’t. So here’s the operational reality.
If your firm uses Apollo, Lusha, ZoomInfo, Cognism, or any of the other ~200 Sales Navigator competitors on LinkedIn’s list, then LinkedIn has a fingerprint of that. Not as a possibility, as a documented fact, on every page load, right now. Your SDRs opening LinkedIn to check a profile are sending a signal to the platform that your organisation is using a competing product.
What LinkedIn does with that data is the open question. The company hasn’t disclosed retention policies, internal access controls, or whether the data feeds any commercial decision-making. The absence of disclosure doesn’t confirm misuse. It does mean your firm operates without visibility into a process that has visibility into you.
The exposure scales with how central LinkedIn is to your operation. If your firm runs a heavy outbound motion, particularly in industries where relationship intelligence is a competitive asset (executive search, M&A advisory, strategic B2B sales, recruiting), the question worth asking isn’t whether this is illegal. The courts will eventually answer that. The question is whether LinkedIn has effectively become a data counterparty in your sales operation, and whether that risk has been priced in.
Closing
The technique is old: resource-probing as an extension-detection method has been documented for years. eBay’s port scanning broke publicly in 2020. Browser fingerprinting at this scale is not a novel attack surface.
What’s changed is composition and timing. At 6,236 extensions probed per page load, this has moved beyond what fraud prevention alone explains.
The presence of 200 direct competitors, 509 job-search tools, and extensions that signal religion, neurodivergence, and political orientation pushes the data set into territory the Irish DPC’s €310 million ruling has already mapped. And the tenfold growth coincides almost exactly with the window in which the DMA was supposed to open the platform up to the very third-party tools the system is now optimised to detect.
Maybe BrowserGate overreached. The “largest corporate espionage operation in modern history” framing handed LinkedIn an easy rebuttal and gave commentators permission to treat the underlying facts as contested.
They aren’t: the scanning is real, the list is documented. LinkedIn confirmed it. SecurityWeek’s pushback addresses the sensationalism more than the system itself.
You can debate where the legal line falls. The case before the Irish DPC, the German appeals court, and any DMA-specific complaints to the European Commission will work that out over the next two to three years. What you can assess right now, without waiting on a verdict, is what the list tells you about how LinkedIn makes decisions when its competitive position and its regulatory obligations are in tension.
The list doesn’t lie. It just needs to be read for what it is.
