- BrowserGate alleges LinkedIn scans over 6,000 Chrome extensions on every page load without user consent.
- Extensions linked to job searches, religion, politics, and disabilities are reportedly among those detected.
- Data is allegedly encrypted and sent to LinkedIn servers and shared with HUMAN Security, a US-Israeli cybersecurity firm.
- LinkedIn denies wrongdoing, saying the scans detect extensions that violate its Terms of Service.
6,222 Extensions, Zero Consent Prompts
A public dossier published by Fairlinked e.V., a group representing commercial LinkedIn users, accuses the Microsoft-owned platform of deploying a JavaScript bundle that silently fingerprints visitors’ browser extensions. The file — a 2.7 MB production chunk served to every Chrome-based visitor — reportedly contains a hardcoded list of 6,222 extension identifiers. Each page load allegedly triggers the scan, checking for installed extensions by probing their internal resource paths.
The scale has grown aggressively: 38 extensions in 2017, 461 in 2024, over 5,400 by December 2025, and past 6,000 in early 2026. BrowserGate estimates the listed extensions collectively represent over 400 million users. The scan runs silently — no consent banner, no notification, no mention in LinkedIn’s privacy policy.
What Your Extensions Reveal About You
Browser extensions are not neutral add-ons. BrowserGate’s database shows that the scanned list includes 509 job search tools (1.4 million cumulative users), sales intelligence platforms like Apollo, Lusha, ZoomInfo, HubSpot, and Salesforce, plus privacy tools like VPNs and Malwarebytes Browser Guard. More sensitive entries include extensions for practicing Muslims, neurodivergent users, and political activism tools.
Cross-referenced with a LinkedIn profile — real name, employer, job title — these signals stop being anonymous telemetry. They become a corporate intelligence map: which companies use competing CRM tools, which employees are quietly job-hunting, which teams rely on specific security configurations. BrowserGate frames this as potential corporate espionage at scale, not just a privacy violation.
GDPR, ePrivacy, and a German Court Battle
The legal exposure is significant. Under Article 9 of the GDPR, processing data that reveals religious beliefs, political opinions, or health conditions requires explicit consent. Scanning extensions that surface these signals — without disclosure — could violate that provision. The ePrivacy Directive’s Article 5(3) separately restricts access to information stored on a user’s device without consent, a principle that browser extension probing directly implicates.
BrowserGate also invokes the EU Digital Markets Act. The European Commission designated Microsoft as a gatekeeper in 2023, with LinkedIn among the services covered. Scanning over 200 competing products’ extensions could raise questions about fair competition under DMA obligations. Fairlinked has filed legal proceedings in Germany, though LinkedIn told Cybernews that a German court rejected the initial claims and found the plaintiff’s own data practices non-compliant.
LinkedIn Says It Is Protecting Users, Not Spying on Them
LinkedIn responded on Hacker News, calling the allegations inaccurate. The company says the extension detection targets tools that violate its Terms of Service — specifically scrapers that harvest member data at scale, degrading platform stability. A LinkedIn representative wrote that the company uses extension data to “inform and improve technical defenses” and “understand why a member account might be fetching an inordinate amount of other members’ data.” The company explicitly denied using the data to infer sensitive information about members.
LinkedIn also disclosed that the individual behind BrowserGate had their account restricted for scraping violations before launching the campaign. The framing from LinkedIn is clear: this is a disgruntled actor who lost in court and is now relitigating in public.
The Evidence Pack and What Comes Next
BrowserGate has published a SHA-512-hashed evidence pack, a video demonstration of the extension probing mechanism, and what it presents as a sworn affidavit from a senior LinkedIn engineering manager that allegedly contradicts the company’s public statements. These are detailed, technical, and structured — but they remain unverified by any regulatory authority or court.
The next moves matter more than the current noise. EU data protection authorities have not yet opened a formal investigation. No DMA enforcement action has been announced. The German court ruling, while favorable to LinkedIn, addressed the plaintiff’s conduct rather than the core technical allegations. Whether BrowserGate’s evidence holds up under regulatory scrutiny will determine if this becomes a landmark privacy case or a footnote. Until then, every Chrome user visiting LinkedIn should know that their browser might be telling the platform far more than their profile ever did.
