Microsoft is running one of the largest corporate espionage operations in modern history.
Every time any of LinkedIn’s one billion users visits linkedin.com, hidden code searches their computer for installed software, collects the results, and transmits them to LinkedIn’s servers and to third-party companies including an American-Israeli cybersecurity firm.
The user is never asked. Never told. LinkedIn’s privacy policy does not mention it.
Because LinkedIn knows each user’s real name, employer, and job title, it is not searching anonymous visitors. It is searching identified people at identified companies. Millions of companies. Every day. All over the world.
This is illegal and potentially a criminal offense in every jurisdiction we have examined.
Fairlinked e.V. is an association of commercial LinkedIn users. We represent the professionals who use LinkedIn, the businesses that invest in and depend on the platform, and the toolmakers who build products for it.
BrowserGate is our investigation and campaign to document one of the largest corporate espionage and data breach scandals in digital history, to inform the public and regulators, to collect evidence, and to raise funds for the legal proceedings required to stop it.
What we found
Mass breach of personal data
LinkedIn’s scan reveals the religious beliefs, political opinions, disabilities, and job search activity of identified individuals. LinkedIn scans for extensions that identify practicing Muslims, extensions that reveal political orientation, extensions built for neurodivergent users, and 509 job search tools that expose who is secretly looking for work on the very platform where their current employer can see their profile.
Under EU law, this category of data is not regulated. It is prohibited. LinkedIn has no consent, no disclosure, and no legal basis. Its privacy policy does not mention any of this.
Corporate espionage and trade secret theft
LinkedIn scans for over 200 products that directly compete with its own sales tools, including Apollo, Lusha, and ZoomInfo. Because LinkedIn knows each user’s employer, it can map which companies use which competitor products. It is extracting the customer lists of thousands of software companies from their users’ browsers without anyone’s knowledge.
Then it uses what it finds. LinkedIn has already sent enforcement threats to users of third-party tools, using data obtained through this covert scanning to identify its targets.
Deceiving EU regulators
In 2023, the EU designated LinkedIn as a regulated gatekeeper under the Digital Markets Act and ordered it to open its platform to third-party tools. LinkedIn’s response:
It published two restricted APIs and presented them to the European Commission as compliance. Together, these APIs handle approximately 0.07 calls per second. Meanwhile, LinkedIn already operates an internal API called Voyager that powers every LinkedIn web and mobile product at 163,000 calls per second. In Microsoft’s 249-page compliance report to the EU, the word “API” appears 533 times. “Voyager” appears zero times.
At the same time, LinkedIn expanded its surveillance of the exact tools the regulation was designed to protect. The scan list grew from roughly 461 products in 2024 to over 6,000 by February 2026. The EU told LinkedIn to let third-party tools in. LinkedIn built a surveillance system to find and punish every user of those tools.
Shipping your data to third parties
LinkedIn loads an invisible tracking element from HUMAN Security (formerly PerimeterX), an American-Israeli cybersecurity firm, zero pixels wide, hidden off-screen, that sets cookies on your browser without your knowledge. A separate fingerprinting script runs from LinkedIn’s own servers. A third script from Google executes silently on every page load. All of it encrypted. None of it disclosed.
Why we need you
Microsoft has 33,000 employees and a $15 billion legal budget. We have the evidence. What we need is people and funding to hold them accountable.
Microsoft Corporation’s LinkedIn is running a massive, global, and illegal spying operation on every computer that visits their website.
1. The Regulation of Linkedin
In 2024 Microsoft was designated as a “gatekeeper” under the Digital Markets Act in the EU. The two regulated products are Microsoft Windows and Microsoft LinkedIn.
business users and authorized third parties free, effective, high-quality, continuous and real-time access to all data, including personal data, that is generated through the use of (LinkedIn).
2. The Legalization of Linkedin Tools
This regulation legalizes the use of third-party tools to access your data on LinkedIn. (Which renders section 8.2.2 of LinkedIn’s Terms of Service void.)
Instead of complying with this regulation, Microsoft decided to distract EU regulators in Brussels with what can only be described as “compliance theater” – It includes the publications of two unnecessary, inadequate and insufficient APIs, misleading statements in public hearings and the complete omission of the fact that there already is a highly effective API “Voyager” that Microsoft uses to power all their web and mobile services.
At the same time LinkedIn systematically shuts down companies who offer LinkedIn tools.
Businesses destroyed. Accounts suspended. Customers threatened. Small companies sued into obliteration by a corporation with an unlimited legal war chest.
3. Non-Compliance turns into criminal behavior
As part of the campaign in removing everyone from the market who might actually make use of the Digital Markets Act, LinkedIn started injecting malicious code into the browsers of their users, without their knowledge or their consent.
At the time of writing, this code downloads a list of 6,222 software products and brute-forces the detection of each one. The scan covers extensions with a combined user base of approximately 405 million people.
4. The Bigger Picture
Because LinkedIn knows each visitor’s name, employer, and job title, every detected extension is matched to an identified individual. And because LinkedIn knows where each user works, these individual scans aggregate into detailed profiles of companies, institutions, and government agencies, revealing which software tools their employees use without the organization’s knowledge or consent.
A Massive Data Breach of Sensitive Data and Trade Secrets
The malicious JavaScript that Microsoft secretly injects into the LinkedIn website searches each user’s browser for installed software applications.
The search reveals:
Political opinions of users, through extensions like “Anti-woke,” “Anti-Zionist Tag,” and “No more Musk”
Religious beliefs, through extensions like “PordaAI” (blur haram content) and “Deen Shield” (blocks haram sites)
Disability and neurodivergence, through extensions like “simplify” (for neurodivergent users)
Employment status, through 509 job search extensions that reveal who is looking for work on the very platform where their current employer can see their profile
Trade secrets of millions of companies, by mapping which organizations use which competitor products, from Apollo to ZoomInfo
LinkedIn has not disclosed this practice in its privacy policy. There is no mention of extension scanning in any public-facing document.
Every time you visit linkedin.com, a JavaScript program embedded in the page scans your browser for installed Chrome extensions. The program runs silently, without any visible indicator to the user. It does not ask for consent. It does not disclose what it is doing. It reports the results to LinkedIn’s servers.
This is not a one-time check. The scan runs on every page load, for every visitor.
How the Detection Works
LinkedIn’s code uses a three-stage fallback chain to detect whether a specific extension is installed in your browser.
Stage 1: Direct communication. The code attempts to contact the extension directly using Chrome’s externally_connectable messaging API. If the extension developer has explicitly disabled this channel in their manifest.json, this method fails, and LinkedIn moves to stage 2.
Stage 2: Resource probing. The code attempts to fetch a known file from the extension using its web_accessible_resources. This is the equivalent of checking whether a door is unlocked by trying the handle. If the extension developer has not exposed any web-accessible resources, this also fails, and LinkedIn moves to stage 3.
Stage 3: DOM mutation detection. The code monitors for changes to the page structure that are characteristic of specific extensions injecting elements into LinkedIn’s interface. This catches extensions that modify what you see on the page.
When an extension developer explicitly disables externally_connectable, they are setting a security boundary. They are saying: “websites should not be able to communicate with this extension.” LinkedIn’s code treats that boundary as an obstacle to route around. The German Federal Court of Justice (BGH, 5 StR 614/19) has ruled that even quickly circumvented security measures qualify as “besondere Sicherung” (special security measures) under § 202a StGB. Bypassing them constitutes unauthorized data access.
How the Results Are Sent
Detection results are transmitted to LinkedIn’s servers using an internal tracking function called fireTrackingPayload with an event type of "AedEvent". The payload includes which extensions were detected. Because the user is logged in, LinkedIn can match the scan results to a specific person, their employer, their job title, and their location.
Scale and Growth
The number of extensions LinkedIn scans for has grown by two orders of magnitude in seven years.
Period
Extensions scanned
2017
38
2024
~461
May 2025
~1,000
December 2025
5,459
The acceleration correlates with a specific event. In September 2023, the European Commission designated LinkedIn as a gatekeeper under the Digital Markets Act. The DMA requires LinkedIn to allow third-party tools to interoperate with its platform. LinkedIn’s response was not to open up. It was to massively expand its surveillance of the exact tools the regulation was designed to protect.
From 2017 to 2024, LinkedIn added roughly 60 extensions per year. From 2024 to December 2025, it added nearly 5,000.
What LinkedIn Scans For
The 6,222 extensions break down into several categories.
762 LinkedIn-specific tools. Extensions built for LinkedIn productivity, content creation, and networking. These are the tools the DMA explicitly requires LinkedIn to accommodate.
209 sales and prospecting competitors. Extensions from companies that compete with LinkedIn’s own Sales Navigator product (~$1B/year revenue). This includes Apollo (600,000 users), Lusha (300,000 users), and ZoomInfo (300,000 users), among others. Detecting these tells LinkedIn which of its customers also use competing products.
509 job search extensions with a combined 1.4 million users. These extensions reveal that a user is actively looking for work. On LinkedIn, that information is visible in the context of the user’s current employer, their colleagues, and their manager.
VPNs, ad blockers, and security tools. Including Malwarebytes Browser Guard (10 million users), KeepSolid VPN Unlimited, Zoho Vault, and LinkedIn Profile Privacy Shield. Scanning for privacy and security tools reveals which users are trying to protect themselves online.
Religious extensions. PordaAI (“Blur Haram objects in Images and Videos, Real-time AI for Islamic values,” 5,000 users) identifies Muslim users. Deen Shield (“Blocks haram & distracting sites, Quran Home Tab”) does the same.
Political extensions. Anti-woke (“Shows warnings about woke companies”), Anti-Zionist Tag (“Adds a tag to the LinkedIn profiles of Anti-Zionists”), No more Musk (“Hides digital noise related to Elon Musk,” 19 users), Political Circus (“Politician → Clown AI Filter,” 7 users), and several others that reveal political orientation.
Disability and neurodivergence tools. Including “simplify,” described as “for neurodivergent users” (79 users).
The scanning does not stop at individuals. Because LinkedIn knows each user’s employer, job title, and department, every detected extension is attributed to an organization. If three employees at a company have Apollo installed, LinkedIn now knows that company uses Apollo. If a government ministry’s staff use a specific VPN, LinkedIn knows that too.
This amounts to mapping the software infrastructure of millions of companies, institutions, and government agencies, assembled without any organization’s knowledge or consent. For LinkedIn’s competitors in the sales intelligence market, this is a surveillance system that identifies exactly which customers are evaluating rival products.
No Disclosure
LinkedIn’s privacy policy contains zero mention of extension scanning. The practice does not appear in any public-facing document, help page, or developer resource. There is no opt-out mechanism because there is nothing to opt out of. As far as LinkedIn’s public disclosures are concerned, this program does not exist.
Under GDPR Articles 13 and 14, data controllers must inform individuals about the processing of their personal data at the time of collection. LinkedIn does not.
Under GDPR Article 9, processing data that reveals religious beliefs, political opinions, or health conditions requires explicit consent. LinkedIn obtains none.
Under TTDSG § 25 (the German transposition of the ePrivacy Directive), accessing information stored on a user’s terminal device requires explicit consent, the same legal basis as cookie consent. LinkedIn does not ask.
3 - The Attack: How it works
Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions. The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them to LinkedIn’s servers. The entire process happens in the background. There is no consent dialog, no notification, no mention of it in LinkedIn’s privacy policy.
This page documents exactly how the system works, with line references and code excerpts from LinkedIn’s production JavaScript bundle.
Source File
All code references on this page come from a single JavaScript bundle served to every LinkedIn visitor. The filename is a content hash that changes with each deployment (e.g. 5fdhwcppjcvqvxsawd8pg1n51.js), but the stable identifiers are:
The bundle is a Webpack package containing multiple modules. Three of those modules form the scanning system described below.
Line numbers referenced on this page are from the December 2025 version of the bundle. They may shift between deployments, but the code structures, string literals, and module exports remain searchable by keyword.
Architecture
LinkedIn’s extension detection consists of three cooperating systems inside the same JavaScript bundle:
Active Extension Detection. Probes for known extensions using fetch().
Spectroscopy
SpectroscopyEvent, scanDOMForPrefix
Passive extension detection. Scans the DOM for evidence of extension activity.
All three systems feed into the same telemetry pipeline: LinkedIn’s li/track endpoint.
The Extension List
At line 9571, character offset 443, inside Webpack module 75023, there is a hardcoded array:
constr=[{id:"aaaeoelkococjpgngfokhbkkfiiegolp",file:"assets/index-COXueBxP.js"},{id:"aabfjmnamlihmlicgeoogldnfaaklfon",file:"images/logo.svg"},{id:"aacbpggdjcblgnmgjgpkpddliddineni",file:"sidebar.html"},// ... thousands more entries ...
];
Each entry has two fields:
id: A 32-character Chrome Web Store extension ID
file: A known file path inside that extension’s package, such as popup.html, icon.png, or manifest.json
The file field is not incidental. Someone at LinkedIn has identified a specific internal resource for each extension that is declared as web-accessible. This is the probe target.
As of December 2025, the array contained 5,459 entries. By February 2026, it had grown to 6,167. The array alone occupies roughly 409,000 characters of source code.
Stage 1: Active Extension Detection (AED)
AED is a brute-force scan. It attempts to load a known file from each extension using the fetch() API.
Chrome extensions can expose internal files to web pages through the web_accessible_resources field in their manifest.json. When an extension is installed and has exposed a resource, a fetch() request to chrome-extension://{id}/{file} will succeed. When the extension is not installed, Chrome blocks the request and the promise rejects.
LinkedIn tests every extension in the list this way.
This fires all 6,222 fetch() requests simultaneously using Promise.allSettled(). Every request that resolves as "fulfilled" means that extension is installed. The function returns an array of detected extension IDs.
This alternative probes extensions one at a time with a configurable delay between each request. Failed fetches are silently caught and discarded. The delay parameter (staggerDetectionMs) allows LinkedIn to throttle the scan, reducing its visibility in network monitoring tools and lowering CPU impact.
If staggerDetectionMs is greater than zero, LinkedIn uses the slower sequential scan. Otherwise it fires the parallel batch. The scan can also be deferred to requestIdleCallback, which delays execution until the browser is idle. The user sees no performance impact. The scan leaves no visible trace.
Stage 2: Passive DOM Scanning (Spectroscopy)
Independent of the AED scan, LinkedIn runs a second detection system that walks the entire DOM tree looking for evidence of extension activity.
Many Chrome extensions inject elements into web pages: modified HTML, added scripts, altered attributes, UI overlays. When they do, the injected content often contains references to the extension’s internal URL scheme (chrome-extension://). Spectroscopy finds these references.
Implementation
Lines 9581 to 9587:
constd="chrome-extension://";functionp(e,t,n){// Scan text nodes
if(e.nodeType===Node.TEXT_NODE&&void0!==e.textContent&&e.textContent.includes(t))n.push(u(e.textContent));// Scan element attributes
if(e.nodeType===Node.ELEMENT_NODE)for(leti=0;i<e.attributes.length;i++){consto=e.attributes.item(i);void0!==o.value&&o.value.includes(t)&&n.push(u(o.value));}// Recurse into child nodes
for(leti=0;i<e.childNodes.length;i++)p(e.childNodes[i],t,n);}
The function p starts at the document root and recursively inspects every node. For text nodes, it checks whether the text contains chrome-extension://. For element nodes, it checks every attribute value. When it finds a match, it extracts the 32-character extension ID from the URL.
Extensions that are merely installed, even if they inject nothing into the current page
Spectroscopy
Full DOM tree walk
Extensions that actively modify the page, even if they are not in LinkedIn’s hardcoded list
AED requires a pre-built target list but can detect passive extensions. Spectroscopy requires no list but only catches extensions that leave traces in the DOM. Together, they cover both cases.
Data Transmission
Detected extension IDs are sent to LinkedIn’s servers through two tracking events.
Both events carry a browserExtensionIds array containing the Chrome extension IDs detected on that user’s browser. Both feed into the same telemetry transport.
The telemetry pipeline
The fireTrackingPayload method sends data to LinkedIn’s li/track endpoint:
This endpoint is referenced at lines 2026, 4288, and 11785. The transport layer batches up to 29 events per request (line 2098), retries up to 4 times on failure, and supports LZ-based compression before transmission (function compressToBase64, lines 9587 to 9601).
Encryption
Before transmission, the fingerprint payload (which includes the extension scan results) is encrypted.
Line 9528:
f.encryptWithKeyFromDifferentSources(JSON.stringify(t),"apfcDfPK",// Public key identifier
"apfcDfPKV",// Public key version
n,r).then(t=>{globalThis.apfcDf=t;// ... transmit to telemetry endpoint ...
});
The payload is serialized to JSON, encrypted using an RSA public key identified as apfcDfPK, and stored on globalThis.apfcDf. From there, it is transmitted to two endpoints:
/platform-telemetry/li/apfcDf
/apfc/collect
The encrypted fingerprint is also injected as an HTTP header into subsequent API requests made during the user’s session (via SyncCollectionHandler, line 9525). This means the fingerprint does not get sent once. It accompanies every API call the user makes for the duration of their visit.
The extension scan runs only in Chrome-based browsers. The isUserAgentChrome() function checks for “Chrome” in the user agent string. The isBrowser() function excludes server-side rendering environments. If either check fails, the scan does not execute.
This means every user visiting LinkedIn with Chrome, Edge, Brave, Opera, Arc, or any other Chromium-based browser is subject to the scan.
The Larger Fingerprinting System: APFC
The extension scan is one component of a broader device fingerprinting system called APFC (Anti-fraud Platform Features Collection), internally also referred to as DNA (Device Network Analysis).
Feature #23 is worth noting in isolation. LinkedIn collects the user’s Do Not Track preference, then excludes it from the fingerprint hash (line 9512, excludes: { doNotTrack: true }). They record that you asked not to be tracked. Then they track you.
Anti-Detection Design
Several implementation choices reveal that this system was designed to avoid detection:
Idle execution. The scan can be deferred to requestIdleCallback, which runs the code only when the browser has no other work to do. The user sees no performance degradation, no spinning indicator, no delay.
Staggered probing. The sequential scan mode introduces a configurable delay between each fetch() request, spreading thousands of network requests over time instead of firing them in a single burst that might appear in developer tools or network monitors.
Hidden iframe. The HUMAN Security (PerimeterX) integration loads a hidden iframe from li.protechts.net that is 0 by 0 pixels, positioned at left: -9999px, and marked aria-hidden="true" (lines 9536 to 9552).
Silent error handling. Failed fetch() requests are caught with empty catch blocks. No errors are logged to the console. No warnings are shown.
RSA encryption. The fingerprint payload is encrypted before transmission. Even if a user inspects the network request in developer tools, the payload contents are not readable.
Third-Party Integrations
The APFC system also feeds data to three external services:
LinkedIn loads a hidden iframe from li.protechts.net, passing a timestamp, the page’s tree ID, a hashed session cookie (bcookie), and the app ID (PXdOjV695v in production). The iframe reads and sets PerimeterX cookies (_px3, _pxhd, _pxvid, pxcts) via cross-origin postMessage.
A separate fingerprinting script is loaded from merchantpool1.linkedin.com, passing the user’s session cookie and a hardcoded instance ID (fb6bbd47-fa7c-4264-b4e9-b25948407586).
Google reCAPTCHA v3 Enterprise
Lines 9553 to 9560. LinkedIn loads https://www.google.com/recaptcha/enterprise.js and executes it on page load with action "onPageLoad", collecting the resulting token.
Feature Flags
The fingerprinting and scanning systems are controlled by LinkedIn’s internal experimentation platform, LIX (LinkedIn Internal eXperimentation):
These flags allow LinkedIn to enable or disable fingerprinting for specific user segments, run A/B tests on scanning behavior, and roll out changes incrementally. The existence of A/B testing flags for a surveillance system means LinkedIn is actively experimenting with how to scan users more effectively.
Data Flow Summary
1. User opens LinkedIn in a Chrome-based browser
│
▼
2. Webpack loads chunk.905 (~2.7 MB)
│
├──► APFC/DNA engine initializes
│ Collects 48 browser fingerprinting features
│ (canvas, WebGL, audio, fonts, hardware, network, battery...)
│
├──► AED: fetchExtensions()
│ Fires up to 6,222 fetch() requests to chrome-extension:// URLs
│ Collects IDs of every installed extension that responds
│ Fires AedEvent with browserExtensionIds[]
│
├──► Spectroscopy: scanDOMForPrefix()
│ Walks the entire DOM tree
│ Searches every text node and attribute for "chrome-extension://"
│ Fires SpectroscopyEvent with browserExtensionIds[]
│
├──► HUMAN Security iframe (li.protechts.net, hidden, 0×0 px)
├──► Merchant Pool script (merchantpool1.linkedin.com)
└──► reCAPTCHA v3 Enterprise
│
▼
3. All data encrypted with RSA public key (apfcDfPK)
│
▼
4. Transmitted to:
https://www.linkedin.com/li/track
/platform-telemetry/li/apfcDf
/apfc/collect
│
▼
5. Encrypted fingerprint stored on globalThis.apfcDf
Injected as HTTP header into every subsequent API request
LinkedIn receives the fingerprint with every action you take
How to Verify This Yourself
All of the above can be verified independently.
Open LinkedIn in Chrome.
Open Developer Tools (F12).
Go to the Network tab.
Filter by .js and look for the largest JavaScript bundle (~2.7 MB), or search the page source for chunk.905.
Open the file. Search for chrome-extension://. You will find the extension array in module 75023.
Search for AedEvent and SpectroscopyEvent to find the tracking event triggers.
Search for apfcDfPK to find the encryption logic.
Search for li/track to find the telemetry endpoint.
Watch the Network tab for POST requests to https://www.linkedin.com/li/track after the page loads.
The code is minified and partially obfuscated, but the string literals, endpoint URLs, module exports, and control flow are preserved. Everything documented on this page can be read directly from the source.
Growth Rate
Date
Extensions in the scan list
2017
38
2024
~461
May 2025
~1,000
December 2025
5,459
February 2026
6,167
LinkedIn added 708 extensions to the scan list between December 2025 and February 2026. That is roughly 12 new extensions per day. The system is not static. It is actively maintained and expanding.
All line numbers and code excerpts reference LinkedIn’s production JavaScript bundle (Webpack chunk.905, module 75023) as served to Chrome users. The filename is a content hash that changes with each deployment. The file is minified, but variable names in module exports, string literals, endpoint URLs, and control flow structures are sufficiently preserved to reconstruct the system described above.
4 - The Evidence Pack
Everything on this page is independently verifiable. The source code speaks for itself.
Its own engineer, under oath, admits it.
This is the file LinkedIn serves to every Chrome user who visits linkedin.com. It contains a hardcoded array of 6,222 Chrome extension IDs, each paired with a specific internal file path that LinkedIn engineers mapped for detection.
Line 9571, character offset 443:
constr=[{id:"aaaeoelkococjpgngfokhbkkfiiegolp",file:"assets/index-COXueBxP.js"},{id:"aabfjmnamlihmlicgeoogldnfaaklfon",file:"images/logo.svg"},{id:"aacbpggdjcblgnmgjgpkpddliddineni",file:"sidebar.html"},// ... 5,456 more entries ...
]
The file also contains the detection functions: fetchExtensions (active scanning via fetch() to chrome-extension:// URLs), scanDOMForPrefix (passive DOM scanning), and fireExtensionDetectedEvents (exfiltration to LinkedIn’s li/track telemetry endpoint via AedEvent and SpectroscopyEvent).
Any developer can verify this. Open linkedin.com in Chrome, open developer tools, find the JavaScript bundle, search for fetchExtensions or any Chrome extension ID. It is there.
Screen recording of LinkedIn’s extension scanning captured in Chrome’s developer tools.
No editing. No narration. The browser shows what LinkedIn’s code does: fetch() calls to chrome-extension:// URLs, probing for specific resource files, followed by fireTrackingPayload transmitting the results to LinkedIn’s servers.
Exhibit 3 — Timestamped evidence package
File:LinkedInLog.zip Contains: JavaScript bundle, video demonstration, and RFC 3161 timestamp files Timestamped: February 19, 2026, 15:58:58 UTC Timestamp authority: freetsa.org (Free TSA, Würzburg, Germany) Hash algorithm: SHA-512 Serial number: 0x031E6E6F
Exhibits 1 and 2 packaged together with a cryptographic timestamp from an independent authority. The timestamp proves this package existed on February 19, 2026 and has not been altered since. Download it, compute the SHA-512 hash, compare. If any byte has changed, the hash will not match.
Exhibit 4 — Sworn affidavit from LinkedIn’s Senior Engineering Manager
Document: Eidesstattliche Versicherung / Affidavit. Declarant: Milinda Lakkam, Senior Manager, Software Engineering and Machine Learning, LinkedIn Corporation Filed: February 6, 2026, Mountain View, California Court reference: Anlage AG 4
And then LinkedIn confirmed it under oath
Lakkam is, by her own statement, the person at LinkedIn responsible for “developing and implementing LinkedIn’s scraping-related multi-layered technical anti-abuse systems.” She submitted this affidavit under penalty of perjury in German court proceedings.
The code in Exhibit 1 proves LinkedIn scans for extensions. This affidavit is LinkedIn confirming it.
Key admissions
Paragraph 3:
“LinkedIn has invested in extension detection mechanisms without which LinkedIn would not have been able to trace the cause of service impacts and outages.”
Paragraph 5:
“The first respondent has also invested in detection technologies for extensions, without which the causes of service disruptions or outages could not have been identified.”
The contradiction
Paragraph 4 contains two claims that cannot both be true.
Claim 1:
“These models do not take the use of any particular browser extension(s) into account.”
Claim 2, same paragraph:
LinkedIn’s systems “may have taken action against LinkedIn users that happen to have [XXXXXX] installed.”
LinkedIn’s models do not consider which extensions you have. But LinkedIn took action against users who had a specific extension. Both statements, same paragraph, same sworn document.
What was never disclosed
This affidavit was submitted to a German court to justify LinkedIn’s enforcement actions. It was not submitted to LinkedIn’s users. LinkedIn’s privacy policy contains zero mention of extension scanning. No user was asked for consent. No user was informed. The admission happened in a courtroom, not on linkedin.com.
If you are a journalist, researcher, or regulator and need additional materials, contact [email protected].
5 - Why it's illegal and potentially criminal
LinkedIn scans your browser for installed extensions every time you visit the site. It does this without asking, without telling you, and without any mention in its privacy policy.
This is not a gray area. Under European law, what LinkedIn is doing is prohibited. Not regulated. Not subject to conditions. Prohibited. The law uses that word, and it means what it says.
This page explains the laws LinkedIn is breaking, in plain language, with legal citations you can verify. We start with the most severe violation and work outward.
1. Prohibited Data Collection (GDPR Article 9)
European data protection law sorts personal data into two tiers. Ordinary personal data (your name, email address, browsing history) can be processed if there is a legal basis. But a second category, called “special category data,” is subject to a blanket prohibition. It cannot be processed at all, except under a narrow set of exemptions that do not apply here.
Article 9(1) of the GDPR states:
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
The word “revealing” is critical. The law does not say “directly stating.” It says “revealing.” The Court of Justice of the European Union has ruled, in three separate cases, that data which allows someone to infer or deduce protected characteristics is covered by this prohibition, regardless of whether the company intended to collect sensitive data.
In Meta Platforms v. Bundeskartellamt (Case C-252/21, July 2023), the Court held that browsing data and app usage data qualify as special category data when they reveal information about health, religion, or political opinions. In the Lindenapotheke case (Case C-21/23, October 2024), the Court confirmed that even purchase data (what medicines someone bought) constitutes health data under Article 9, regardless of the controller’s intent.
LinkedIn’s extension scan falls squarely within this case law.
What the scan reveals
LinkedIn scans for extensions that directly identify the religious beliefs, political opinions, health conditions, and employment status of users. These are real extensions from LinkedIn’s scan list, with their real descriptions from the Chrome Web Store:
Religious beliefs
LinkedIn scans for PordaAI (5,000 users), described as “Blur Haram objects in Images and Videos, Real-time AI for Islamic values.” A user who has this extension installed is a practicing Muslim. LinkedIn also scans for Deen Shield (12 users), described as “Blocks haram & distracting sites, Quran Home Tab.”
If LinkedIn detects either extension, it has collected data revealing that person’s religion. Article 9 prohibits this.
Political opinions
LinkedIn scans for Anti-woke (“The anti-wokeness extension. Shows warnings about woke companies”), Anti-Zionist Tag (“Adds a tag to the LinkedIn profiles of Anti-Zionists”), Vote With Your Money (“showing political contributions from executives and employees”), No more Musk (“Hides digital noise related to Elon Musk,” 19 users), Political Circus (“Politician to Clown AI Filter,” 7 users), LinkedIn Political Content Blocker, and NoPolitiLinked.
Each of these extensions reveals a political position. If LinkedIn detects any of them, it has collected data revealing that person’s political opinions. Article 9 prohibits this.
Health and disability
LinkedIn scans for “simplify,” described as a tool “for neurodivergent users” (79 users). Detecting this extension reveals information about a user’s neurological condition.
Article 9 prohibits this.
Employment status
LinkedIn scans for 509 job search extensions with a combined user base of 1.4 million people. Detecting a job search extension on the browser of someone who has a current employer listed on their LinkedIn profile reveals that person’s employment status: they are looking to leave.
On a platform where employers, recruiters, and current managers can view profiles, this is not abstract. LinkedIn knows who you work for. Now it also knows you are trying to leave. Article 9 treats employment and social security data as requiring heightened protection.
Why none of the exemptions apply
Article 9(2) lists ten exemptions that can override the prohibition. None of them fit.
Explicit consent (Art. 9(2)(a)): LinkedIn never asks for consent to scan extensions. There is no dialog, no toggle, no checkbox. LinkedIn’s privacy policy does not mention extension scanning at all.
Manifestly made public (Art. 9(2)(e)): This exemption applies when people voluntarily make their own data public, such as announcing their religion on a public social media profile. Installing a browser extension is a private act. Extensions are not visible to websites. The user has not made this information public. LinkedIn had to build a detection system, embed 6,222 probe targets in its JavaScript, and fire thousands of fetch requests to extract this data. That is the opposite of “manifestly made public.”
Legitimate interest: This is not even an available basis for special category data. Legitimate interest under Article 6(1)(f) cannot be used to process data that falls under Article 9. The prohibition is absolute unless one of the Article 9(2) exemptions applies.
The penalty
GDPR Article 83(5) assigns the highest penalty tier to violations of Article 9: fines of up to €20 million, or 4% of the company’s total worldwide annual turnover, whichever is higher.
LinkedIn is owned by Microsoft. Microsoft’s fiscal year 2025 revenue was $281.72 billion. Four percent of that is $11.27 billion.
This penalty applies per violation. LinkedIn has been running this scan across 1 billion registered users in Chrome-based browsers, collecting special category data without consent, without disclosure, and without any legal basis.
Where this law applies
The GDPR applies directly in all 27 EU member states: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden.
Three additional countries apply the GDPR through the EEA Agreement: Norway, Iceland, and Liechtenstein.
The United Kingdom applies equivalent rules through the UK GDPR (retained EU law), with fines of up to £17.5 million or 4% of global turnover under UK Article 83(5).
Switzerland applies comparable protections under the revised Federal Act on Data Protection (nFADP), which took effect September 1, 2023. The nFADP classifies religious beliefs, political opinions, health data, and trade union membership as “sensitive personal data” requiring heightened protection (Art. 5(c) nFADP).
In total, Article 9 protections or their equivalents apply to roughly 500 million people across 32 countries.
2. No Legal Basis for Any Processing (GDPR Article 6)
Even setting aside the special category problem, LinkedIn has no legal basis for scanning extensions at all.
GDPR Article 6 requires that every act of processing personal data has a legal basis. There are six options: consent, contract performance, legal obligation, vital interests, public interest, or legitimate interest.
Consent: Not obtained. No user has ever been asked whether LinkedIn may scan their browser extensions.
Contract performance: Scanning your extensions is not necessary to provide the LinkedIn service. You can use LinkedIn without LinkedIn knowing what extensions you have installed. The service functioned for years with only 38 extensions in the scan list (2017). The scan exists for LinkedIn’s purposes, not yours.
Legitimate interest: Even if LinkedIn claimed a legitimate interest in fraud prevention (and extension scanning is not fraud prevention), Article 6(1)(f) requires a balancing test. The interests of 405 million users in not having their browsers secretly surveilled outweigh any claimed interest LinkedIn has in knowing what software they use.
Legal obligation, vital interests, public interest: None apply.
LinkedIn’s privacy policy contains no mention of extension scanning. This is itself a violation of Articles 13 and 14, which require transparent disclosure of processing activities.
3. Terminal Equipment Access Without Consent (ePrivacy Directive)
The ePrivacy Directive (2002/58/EC, as amended by 2009/136/EC) requires consent before accessing information stored on a user’s device. This is the same rule that requires cookie consent banners across the web. It applies equally to browser extension scanning.
When LinkedIn fires 6,222 fetch requests to chrome-extension:// URLs, it is accessing information stored on the user’s terminal equipment: specifically, which software is installed. Each probe is an attempt to read data from the user’s device.
Every EU member state has transposed this directive into national law:
Germany: TTDSG § 25. “The storage of information in the end user’s terminal equipment or access to information already stored in the terminal equipment shall only be permitted if the end user has given consent.” Penalty: up to €300,000 per violation. Extension scanning is accessing information on terminal equipment. No consent has been obtained.
Netherlands: Telecommunicatiewet. The Dutch transposition of the ePrivacy Directive carries the same consent requirement. Violations are enforceable by the Autoriteit Persoonsgegevens (AP) and can compound with GDPR penalties.
France: Loi Informatique et Libertés / CNIL guidance. The CNIL has been among the most active enforcers of terminal equipment access rules, issuing major fines to Google and Facebook for cookie consent violations. The same rules apply to extension scanning.
Every other EU and EEA member state has its own transposition. The principle is the same everywhere: accessing data on a user’s device requires their consent. LinkedIn has not obtained it.
4. German Criminal Law
In Germany, what LinkedIn is doing is not only a regulatory violation. It is a criminal offense.
§ 202a StGB: Unauthorized data access (Ausspähen von Daten)
German law criminalizes obtaining access to data that is not intended for the offender and is specifically protected against unauthorized access. The penalty is up to three years in prison.
Browser extensions are protected against unauthorized access. When an extension developer sets externally_connectable to disabled in their manifest, or does not declare files as web_accessible_resources, that is an explicit security measure. LinkedIn’s three-stage detection system, which probes for known resources and falls back to DOM scanning, constitutes deliberate circumvention.
The German Federal Court of Justice (BGH) confirmed in 5 StR 614/19 that even security measures which can be quickly circumvented still qualify as “special security measures” (besondere Sicherung) under § 202a. The ease of circumvention does not matter. What matters is that a protective measure existed and was deliberately overcome.
§ 202b StGB: Interception of data (Abfangen von Daten)
Transmitting the list of detected extensions to LinkedIn’s servers via the AedEvent and SpectroscopyEvent tracking payloads constitutes interception and transmission of data that was not intended for LinkedIn.
§ 202c StGB: Preparation of data espionage (Vorbereiten des Ausspähens)
The fingerprinting system itself, a piece of software designed to probe for and extract information about installed software without authorization, constitutes a tool prepared for the purpose of committing offenses under § 202a and § 202b.
§ 240 StGB: Coercion (Nötigung)
LinkedIn used the results of BrowserGate scanning to identify users of third-party tools, then sent enforcement emails threatening those users with account restrictions. Using data obtained through criminal means (§ 202a) to threaten people constitutes coercion.
§ 23 GeschGehG: Trade secret theft
Each extension vendor’s user base is a trade secret. When LinkedIn scans for a competitor’s extension and detects which LinkedIn users have it installed, LinkedIn has obtained that competitor’s customer data through improper means. With 6,222 extensions in the scan list, this represents thousands of potential separate offenses.
5. United Kingdom
The UK applies three bodies of law to LinkedIn’s conduct.
UK GDPR
The UK retained the GDPR after Brexit, and Article 9 applies with identical force. Processing of special category data is prohibited unless an exemption applies. The same extensions that reveal religion, politics, disability, and employment status to LinkedIn in the EU reveal the same information in the UK. Maximum fine: £17.5 million or 4% of global turnover.
Computer Misuse Act 1990
Section 1 of the Computer Misuse Act criminalizes unauthorized access to computer material. Probing a user’s browser for installed software, without their knowledge or consent, by firing thousands of fetch requests to internal extension URLs is unauthorized access to information stored on the user’s computer. The maximum penalty is two years’ imprisonment.
The UK transposed the EU Trade Secrets Directive into national law. Extension vendors’ customer data (who has their extension installed) constitutes a trade secret under this framework. LinkedIn’s systematic scanning to identify which users run competitor products constitutes acquisition of trade secrets through unlawful means.
6. California (United States)
US federal privacy law is weak compared to the EU. But California, where many LinkedIn users and most tech companies are based, has its own regime.
California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
The CCPA, as amended by CPRA, gives California consumers the right to know what personal information is being collected about them, the right to delete it, and the right to opt out of its sale or sharing.
LinkedIn collects a list of installed browser extensions, tied to identified users (LinkedIn knows your name, employer, job title, and location). This is “personal information” under CCPA § 1798.140(v). LinkedIn does not disclose this collection in its privacy policy, does not provide an opt-out, and does not honor deletion requests for this data because it does not acknowledge the data exists.
The CPRA added the category of “sensitive personal information,” which includes data revealing religious beliefs, health, and other characteristics. The extension scanning reveals exactly these categories for California users, just as it does for EU users.
California Invasion of Privacy Act (CIPA)
CIPA provides statutory damages of $5,000 per violation, without requiring proof of actual harm. The law targets unauthorized interception of communications and unauthorized access to data. Whether LinkedIn’s extension probing qualifies as “interception” under CIPA is a novel legal question. LinkedIn is not intercepting communications between two parties. It is probing for installed software. The statutory fit requires careful legal analysis, but the damages exposure is significant: millions of California LinkedIn users at $5,000 each.
What This Adds Up To
LinkedIn is not in violation of one law. It is in violation of a stack of laws, across multiple jurisdictions, simultaneously.
Jurisdiction
Law
Violation
Maximum Penalty
EU (27 countries)
GDPR Article 9
Processing prohibited special category data
€20M or 4% of global turnover ($11.27B for Microsoft)
EU (27 countries)
GDPR Article 6
No legal basis for processing
€20M or 4% of global turnover
EU (27 countries)
GDPR Articles 13/14
No disclosure in privacy policy
€20M or 4% of global turnover
EU (27 countries)
ePrivacy Directive
Terminal equipment access without consent
Varies by member state
EEA (Norway, Iceland, Liechtenstein)
GDPR via EEA Agreement
Same as EU
Same as EU
Germany
§ 202a StGB
Unauthorized data access
Up to 3 years imprisonment
Germany
§ 202b StGB
Interception of data
Up to 2 years imprisonment
Germany
§ 202c StGB
Preparation of data espionage
Up to 2 years imprisonment
Germany
§ 240 StGB
Coercion
Up to 3 years imprisonment
Germany
§ 23 GeschGehG
Trade secret theft
Civil and criminal penalties
Germany
TTDSG § 25
Terminal equipment access
Up to €300,000 per violation
United Kingdom
UK GDPR Article 9
Processing prohibited data
£17.5M or 4% of global turnover
United Kingdom
Computer Misuse Act 1990
Unauthorized computer access
Up to 2 years imprisonment
United Kingdom
Trade Secrets Regulations 2018
Acquisition by unlawful means
Civil damages
Switzerland
nFADP Art. 5(c)
Processing sensitive data without legal basis
Up to CHF 250,000 (individual liability)
California
CCPA/CPRA
Undisclosed collection of personal/sensitive info
$2,500-$7,500 per violation
California
CIPA
Unauthorized access to data
$5,000 per violation (statutory)
These are not alternative theories. They are concurrent violations. LinkedIn is breaking multiple laws in multiple countries every time a Chrome user opens linkedin.com.
Who Enforces This
Every EU member state has a data protection authority empowered to investigate, fine, and order LinkedIn to stop. LinkedIn’s lead supervisory authority in the EU is the Irish Data Protection Commission (DPC). Any EU resident can also file a complaint with their national authority.
In Germany, criminal complaints (Strafanzeige) can be filed with the Staatsanwaltschaft (public prosecutor’s office) for the § 202a, § 202b, and § 240 StGB offenses.
In the UK, the Information Commissioner’s Office (ICO) enforces the UK GDPR and can refer Computer Misuse Act violations to police.
In California, the California Privacy Protection Agency (CPPA) enforces the CCPA/CPRA, and the Attorney General retains independent enforcement authority.
You can take action yourself. See Take Action for pre-filled complaint templates for every EU data protection authority, GDPR subject access request templates, and more.
This page presents legal analysis based on the statutes, case law, and regulatory guidance cited above. It is not legal advice. The factual basis for this analysis, LinkedIn’s extension scanning code and behavior, is documented on the How It Works page and can be independently verified by anyone with a Chrome browser and developer tools.
This page will be updated as new jurisdictions are analyzed and as legal proceedings develop.
6 - This Is Not Just a Privacy Violation
When people hear that LinkedIn scans browser extensions without consent, the first reaction is usually about personal privacy. That reaction is correct, but it is incomplete.
The problem with BrowserGate is not only that it affects millions of individuals. It is what LinkedIn can do with the data once it has it.
LinkedIn is not Reddit. It is not Twitter. It is not an anonymous forum where people use pseudonyms and joke about their cats. LinkedIn is the world’s largest verified professional directory. It has 1.2 billion registered members across 200 countries. More than 67 million companies are listed on the platform. Users register with their real names. Many are verified with photo ID. They list their real employers, real job titles, real education history, real professional connections. In many industries, having a LinkedIn profile is not optional. It is a prerequisite for being hired.
This means LinkedIn does not just know that someone has a religious browser extension installed. It knows that person’s name, employer, job title, department, location, and professional network. And it knows the same about every one of their colleagues who also uses LinkedIn.
That is not a privacy breach. That is an intelligence operation.
The individual layer: profiling real people
On an anonymous platform, knowing that a user has the PordaAI extension installed tells you that an anonymous account belongs to a practicing Muslim. That is a privacy violation, but the damage is limited by the anonymity.
On LinkedIn, the same data point is attached to a verified identity. LinkedIn does not just know that someone is a practicing Muslim. It knows that Fatima A., Senior Policy Advisor at the German Federal Ministry of the Interior, Berlin, is a practicing Muslim. Because she has a LinkedIn profile with her real name, real photo, real employer, and real title. And because LinkedIn’s JavaScript probed her browser and found PordaAI installed.
The same logic applies to every category of extension LinkedIn scans for:
Political opinions. If LinkedIn detects “Anti-Zionist Tag” or “No more Musk” on the browser of a named, verified professional, it has not just collected political opinion data. It has tied that political opinion to a specific person at a specific organization. A diplomat. A procurement officer. A journalist. A judge.
Health and disability. If LinkedIn detects “simplify” (described as “for neurodivergent users”) on the browser of someone who lists their employer as a law firm, a hospital, or a public school district, LinkedIn now knows that a named employee at that organization has a neurological condition. This is information that employers are legally prohibited from asking about in most jurisdictions, and that LinkedIn has no right to collect.
Employment status. If LinkedIn detects one of the 509 job search extensions on the browser of someone whose profile says they currently work at Company X, LinkedIn knows that person is trying to leave. On a platform where their current employer’s recruiters, HR department, and managers are also active. LinkedIn has created a system that exposes job seekers to their current employers.
The organizational layer: profiling companies
The individual violations are serious. But the organizational implications are worse.
LinkedIn does not just have data about individuals. It has data about where those individuals work. When you aggregate extension scan results across every employee at a company who uses LinkedIn, you get a profile of the organization itself.
Consider what LinkedIn can determine about a single company:
Technology stack. LinkedIn scans for extensions from Salesforce, HubSpot, Apollo, Lusha, ZoomInfo, Adobe, and hundreds of other software vendors. If 47 employees at Company X have the Salesforce extension installed and 3 have HubSpot, LinkedIn knows that Company X is a Salesforce customer and may be evaluating HubSpot. This is competitive intelligence that software vendors pay millions to acquire through legitimate channels.
Sales and prospecting tools. LinkedIn scans for 209 sales and prospecting extensions with 3.4 million total users. These include Apollo, Lusha, ZoomInfo, and other tools that directly compete with LinkedIn’s own Sales Navigator product, which generates roughly $1 billion per year in revenue. LinkedIn is scanning for its own competitors’ customers so it can identify them. It has already used this data to send enforcement threats.
Security posture. LinkedIn scans for Malwarebytes Browser Guard (10 million users), VPNs like KeepSolid VPN Unlimited, password managers like Zoho Vault, and privacy tools like LinkedIn Profile Privacy Shield. The presence or absence of security tools across an organization’s employees reveals that organization’s security posture. Which companies use enterprise security tools? Which ones don’t?
Internal culture. If LinkedIn detects political extensions across employees at a company, it can infer the political leanings of the workforce. If it detects religious extensions, it knows the religious composition. If it detects job search extensions on 30% of a company’s employees, it knows the company has a retention problem.
None of this is hypothetical. The technical architecture documented on the How It Works page fires up to 6,222 extension probes on every Chrome user who visits LinkedIn. LinkedIn has the user’s profile data. It has their employer. It has the scan results. The aggregation is trivial.
The competitive intelligence layer: 6,222 stolen customer lists
Every software product has a customer list. That list is universally recognized as a trade secret, in the EU, in the US, and in every major jurisdiction. Companies spend millions protecting it. Sales teams sign non-compete agreements to prevent its leakage. Lawsuits are filed over it routinely.
LinkedIn has built a system that extracts customer lists from 6,222 software companies simultaneously. Without asking. Without paying. Without the companies knowing.
Here is how it works: Adobe’s Acrobat extension has millions of users. LinkedIn scans for it. Every LinkedIn user who has the Adobe Acrobat extension installed is identified, by name, employer, and job title. LinkedIn now has a partial customer list for Adobe, segmented by company, industry, and role. Multiply this across all 6,222 extensions.
LinkedIn is not buying this data on the open market. It is not licensing it from data brokers. It is extracting it from users’ browsers through a covert detection system, attaching it to verified professional identities, and transmitting it, encrypted, to its own servers. This is the kind of competitive intelligence that, if obtained by an employee walking out of a company with a USB drive, would result in criminal prosecution.
LinkedIn does it to 6,222 companies at once, continuously, and at scale.
The government layer: who else is on LinkedIn?
LinkedIn’s user base does not consist only of private sector employees. Governments, military organizations, intelligence agencies, law enforcement bodies, regulators, international organizations, and NGOs are all represented. Their employees have LinkedIn profiles with their real names, real titles, and real institutional affiliations.
LinkedIn’s extension scanning does not distinguish between a marketing manager at a startup and a cybersecurity analyst at a European defense ministry. Both get scanned. Both have their results transmitted to LinkedIn’s servers in the United States.
Consider what BrowserGate reveals about government employees:
Security tool usage. If a cluster of employees at a government ministry all have Malwarebytes or a specific VPN extension, LinkedIn can map the security tools used inside that ministry. If some employees lack security extensions, LinkedIn knows which ones are unprotected.
Religious and political composition. If LinkedIn detects religious extensions among employees at a law enforcement agency, it has data on the religious composition of that agency’s workforce. If it detects political extensions among employees at a regulatory body, it has data on the political leanings of the people who regulate it. LinkedIn is currently designated as a DMA-regulated gatekeeper by the European Commission. The very officials responsible for enforcing the DMA against LinkedIn are almost certainly on LinkedIn themselves.
Job-seeking behavior. If analysts at an intelligence agency are running job search extensions, LinkedIn knows that agency has a retention problem, what kind of roles those analysts are looking for, and potentially where they are looking. This is operational security intelligence.
Technology adoption. Government agencies’ technology choices are often classified or sensitive procurement information. Which agencies use which productivity tools, which CRM systems, which security solutions. LinkedIn’s extension scanning maps these choices by detecting the tools on individual employees’ browsers.
The transatlantic data flow: where does the data go?
LinkedIn is a US company owned by Microsoft, headquartered in Sunnyvale, California. LinkedIn’s li/track telemetry endpoint, where all scan results are transmitted, resolves to servers under LinkedIn’s control.
This means the extension scan data, including information revealing religious beliefs, political opinions, health conditions, security tools, and employment intentions of European citizens, is transmitted to the United States.
This is happening at a time when EU-US data transfer is already legally contested. The EU-US Data Privacy Framework exists precisely because the Court of Justice of the European Union struck down two prior frameworks (Safe Harbor in 2015, Privacy Shield in 2020) on the grounds that US surveillance law does not provide adequate protection for European citizens’ data.
The BrowserGate data is not routine browsing data. It includes GDPR Article 9 special category data: religion, politics, health. It covers government employees, regulators, elected officials, military personnel, intelligence professionals. It is collected covertly, transmitted encrypted, and processed without any transparency mechanism.
Under normal circumstances, transferring special category data to the US requires explicit consent and a Data Protection Impact Assessment. LinkedIn has neither.
The monopoly layer: why LinkedIn can do this
LinkedIn can operate this surveillance system because it is a monopolist.
There is no alternative professional network at comparable scale. If you are a professional in most industries, you need a LinkedIn profile. Recruiters expect it. Clients check it. Colleagues connect on it. Refusing to use LinkedIn means accepting a real professional disadvantage.
This gives LinkedIn the power to set terms that no user would accept if they had a choice. No user, if asked, would consent to having their browser scanned for 6,222 extensions every time they visit a website. But LinkedIn does not ask, because it does not have to. Where would you go instead?
The Digital Markets Act was supposed to address exactly this kind of abuse. The EU designated LinkedIn as a gatekeeper platform in September 2023 and required it to open access to third-party tools under Article 6(10). LinkedIn’s response was to massively expand its extension scanning. In 2024, the scan list contained roughly 461 extensions. By December 2025, it had grown to 5,459. By February 2026, 6,167. The 10x growth in the scan list directly tracks the period when LinkedIn was supposed to be opening up to competition.
The EU told LinkedIn to allow third-party tools. LinkedIn responded by building a surveillance system to identify and punish every user of those tools.
What this is, taken together
BrowserGate is not one thing. It is several things operating simultaneously:
It is a mass privacy violation affecting every Chrome user who visits LinkedIn.
It is an illegal profiling system that collects data on religion, politics, health, and employment status, tied to verified real-world identities.
It is a corporate intelligence operation that maps the technology stacks, security postures, and internal cultures of tens of millions of companies.
It is a trade secret extraction machine that compiles customer lists for 6,222 software vendors without their knowledge or consent.
It is a tool for surveilling government employees, including the very regulators and legislators responsible for overseeing LinkedIn’s compliance with the law.
And it is a monopoly maintenance mechanism, designed to identify and suppress the users of competing tools on a platform where users have no meaningful alternative.
One company, owned by the largest software corporation on earth, with 1.2 billion users’ verified professional identities, decided to silently scan every visitor’s browser for installed software and transmit the results, encrypted, to its servers. No consent. No disclosure. No oversight.
The question is not whether this violates the law. We have documented that. The question is whether the institutions responsible for enforcing the law will act before LinkedIn finishes building the most comprehensive corporate and government intelligence database ever assembled by a private company.
The technical evidence for BrowserGate is documented on the How It Works page. The legal violations are analyzed on the Why It’s Illegal page. The full list of scanned extensions is searchable on the Extensions Database page.
7 - Scanned Extensions Database
6,222 extensions. Zero consent.
Every time you visit LinkedIn, a hidden JavaScript program scans your browser for installed Chrome extensions. No notice. No opt-in. No mention in their privacy policy.
The scan doesn’t just look for LinkedIn-related tools. It identifies whether you use an Islamic content filter (PordaAI — “Blur Haram objects, real-time AI for Islamic values”), whether you’ve installed an anti-Zionist political tagger (Anti-Zionist Tag), or a tool designed for neurodivergent users (simplify). Under GDPR Article 9, processing data that reveals religious beliefs, political opinions, or health conditions requires explicit consent. LinkedIn obtains none.
It also scans for every major competitor to Microsoft’s own products — Salesforce, HubSpot, Pipedrive — building company-level intelligence on which businesses use which software. Because LinkedIn knows your name, employer, and role, each scan aggregates into a corporate technology profile assembled without anyone’s knowledge.
The list is growing. In May 2025, LinkedIn scanned for roughly 1,000 extensions. Ten months later, the number has passed 5,000. The surveillance is not slowing down — it is accelerating.
This database contains every extension LinkedIn is known to scan for, extracted from LinkedIn’s production JavaScript bundles.
8 - Join our mailing list
Please join our mailing list so we can stay in contact and update you on our campaign to stop BrowserGate and make Microsoft/Linkedin comply with the law.
Subscribe to Mailing List
9 - Contact Us
Have questions, tips, or want to collaborate? Reach out — we read every message.
10 - Fairlinked — LinkedIn Tool Maker Updates
EU regulation gives every business the right to access LinkedIn data. Fairlinked is enforcing that right and building a legal pathway for tools like yours to operate without fear of takedown. Subscribe for legal strategy updates, regulatory filings, and Working Group opportunities.
Subscribe
11 - 5 Things you can do to help stop BrowserGate
LinkedIn has 33,000 employees and a $15 billion legal budget. But we are one billion LinkedIn users. And you have this list.
01 | Check if your tools are on the list
Search the database of 6,222 extensions LinkedIn scans for.
Enter your extension name or ID and see it in LinkedIn’s actual JavaScript code. Takes 10 seconds.
02 | Share this with someone who should know
Most people have no idea this is happening. Use our pre-written posts and media assets to share on LinkedIn, X, Mastodon, Bluesky, or Facebook. Each post is tailored to the platform. One click.
03 | Join our mailinglist and Whatsapp group
Legal updates, new technical findings, press coverage, and calls to action. No spam. Unsubscribe or leave anytime.
Know a journalist? Ask them what they need to cover BrowserGate. Don’t know one? Call your local newspaper, radio station, or TV newsroom and ask why they haven’t reported that LinkedIn scans 405 million users’ browsers without consent.
Every professional with a LinkedIn account is affected. Every business with a LinkedIn company page is affected. Every employee whose browser is being fingerprinted without their employer’s knowledge is affected. That is a story.
05 | Support the Browsergate Legal Fund
Microsoft has unlimited legal resources. They respond to a 5-page brief with a 120-page filing drafted by 50 lawyers. The goal is not to win on arguments. The goal is to exhaust opponents financially.
The only way to match that is collective funding. Your donation finances the legal proceedings through Fairlinked e.V., the German nonprofit pursuing DMA enforcement against LinkedIn.
Emails get ignored. Letters create a paper trail. They generate records. They require responses.
You can send letters to:
Your local data protection authority — file a formal complaint about LinkedIn’s extension scanning.
Microsoft/LinkedIn directly — demand they disclose what data they collected about your browser, under GDPR Article 15.
Your national IT security authority (CERT) — report unauthorized code execution. LinkedIn injects JavaScript that probes your browser for installed software without disclosure.
Your member of parliament or MEP — demand they push the European Commission to investigate LinkedIn’s DMA non-compliance.
[TODO: We are building an AI-assisted letter generator that drafts, prints, and mails these letters on your behalf. Each letter includes a donation to Fairlinked to finance the legal fight.]
07 | Request your data from LinkedIn
You have the right to know what LinkedIn collected about you. Send them a GDPR Subject Access Request and demand they disclose:
Which extensions they detected on your browser
When they scanned your browser
What data they stored
Who they shared it with
Their legal basis for processing
Do not ask for the standard data export. Ask specifically for extension detection data, device fingerprinting data, and any records transmitted via their AedEvent and SpectroscopyEvent tracking systems.
[Send a GDPR request → (pre-filled template)]
08 | File a complaint with your data protection authority
Country-specific, pre-filled complaint forms for every EU/EEA data protection authority. Select your country, fill in your name, submit.
LinkedIn’s EU lead supervisory authority is the Irish Data Protection Commission. The more complaints the Irish DPC receives, the harder BrowserGate is to ignore.
[File a complaint →]
09 | Register as a potential co-plaintiff
We are preparing class action suits in multiple countries and jurisdictions. If you want to participate, register now. No obligation until a case is filed. We will contact you with details when proceedings begin in your jurisdiction.
[Register as co-plaintiff →]
10 | Help collect evidence
We have developed a Chrome extension that documents LinkedIn’s scanning behavior on your browser. It captures evidence of the abuse with a tamper-proof timestamp, which you can upload to our server.
The more documented instances we have, the stronger the case in court.
[Install the evidence collector →]
For developers and LinkedIn tool makers
If you develop a LinkedIn tool or Chrome extension, join our working group. We have established Fairlinked e.V. as a non-profit trade association for commercial LinkedIn users. Fairlinked is registered with the EU and has entered a regulatory dialogue with the EU Commission about LinkedIn’s compliance with EU regulations.
Together, we are defining the technical requirements for the API that Microsoft must provide to businesses and tool developers under DMA Article 6(10).
[Join the developer coalition →]
Every action on this page is backed by specific legal rights under the GDPR, the Digital Markets Act, and national data protection laws. You are not asking for a favor. You are exercising rights that exist precisely for situations like this.
11.1 - Tell others about Browsergate
There are 1.2 billion Linkedin users.
Most have no idea LinkedIn scans their browser and shares their data illegally with others. Copy a post below and fix that.
LinkedIn
Yes, post it on LinkedIn. That’s the point.
Post 1 — The basics
LinkedIn scans your browser for 6,222 Chrome extensions every time you visit the site. No consent. No disclosure. No mention of it in their privacy policy.
The scan reveals which tools you use for sales, job searching, ad blocking, VPN, and security. It also detects extensions related to religion, politics, and disability.
LinkedIn’s privacy policy contains zero mention of extension scanning. Zero.
This is called BrowserGate. The full technical analysis, legal breakdown, and the complete list of scanned extensions is at browsergate.eu
Post 2 — For salespeople
If you use Apollo, Lusha, ZoomInfo, or any other sales tool as a Chrome extension, LinkedIn already knows.
LinkedIn scans your browser for 209 sales and prospecting extensions. That’s not a guess. It’s in their JavaScript code, verifiable by anyone with dev tools.
They use this data to identify users of competing products. Then they enforce their Terms of Service clause 8.2.2, which bans all third-party tools.
The EU Digital Markets Act says that ban is illegal. LinkedIn expanded the scanning program anyway.
Full details: browsergate.eu
Post 3 — For job seekers
LinkedIn scans for 509 job search extensions. That’s 1.4 million users whose employment status is being recorded without consent.
On a platform where your current employer, your recruiter, and your next boss can all see your profile, LinkedIn is silently flagging that you’re looking for work.
They never asked. They never told you. It’s not in their privacy policy.
browsergate.eu
Post 4 — For developers and extension makers
LinkedIn probes your extension using three methods: externally_connectable messaging, web_accessible_resources fetch, and DOM mutation detection. Results are exfiltrated via fireTrackingPayload(“AedEvent”).
If you disabled externally_connectable in your manifest.json, they try the next method. Then the next. It’s a deliberate fallback escalation chain.
They’ve catalogued a specific internal file path for each of the 6,222 extensions they scan for. Someone at LinkedIn manually mapped your extension’s resources.
The full technical analysis with code snippets from LinkedIn’s JavaScript bundle: browsergate.eu
X (Twitter)
Tweet 1
LinkedIn scans your browser for 6,222 Chrome extensions. No consent. No disclosure. Their privacy policy mentions none of it.
The scan reveals religion, politics, disability, and employment status.
browsergate.eu
Tweet 2
LinkedIn detects 509 job search extensions. 1.4 million users silently flagged as job seekers on a platform where your current employer can see your profile.
browsergate.eu
Tweet 3
LinkedIn scans for religious extensions like PordaAI and Deen Shield. Political extensions like Anti-Zionist Tag and No more Musk. A neurodivergence tool called “simplify” with 79 users.
This is GDPR Article 9 special category data. No consent was given.
browsergate.eu
Tweet 4
LinkedIn went from scanning 38 extensions in 2017 to 5,459 in 2025. The 10x jump happened right after they were designated a DMA gatekeeper and forced to allow third-party tools.
They responded to regulation with surveillance.
browsergate.eu
Mastodon / Bluesky
Post 1
LinkedIn runs a silent browser scan on every Chrome user who visits the site. 6,222 extensions. ~405 million users affected. No consent, no disclosure, no mention in their privacy policy.
The scan identifies your sales tools, VPN, ad blocker, job search extensions, and extensions tied to religion, politics, and disability.
The full technical breakdown, legal analysis, and searchable database of every scanned extension: browsergate.eu
Post 2
Fun fact: LinkedIn’s JavaScript bundle contains a hardcoded list of 6,222 Chrome extension IDs, each paired with a specific internal file path that LinkedIn engineers mapped manually.
They probe your browser using three escalating detection methods. If one fails, they try the next.
It’s not subtle. It’s in the source code. Anyone can verify it.
browsergate.eu
Facebook
Post 1
If you’ve ever visited LinkedIn on Chrome, they scanned your browser for installed extensions. Without asking. Without telling you.
The list covers 6,222 extensions with a combined user base of about 405 million people. It includes job search tools, sales software, ad blockers, VPNs, and extensions related to religion, political views, and disability.
None of this is mentioned in LinkedIn’s privacy policy.
A group of researchers and developers published the full technical evidence, the legal analysis, and a searchable database of every extension LinkedIn scans for. Check if your extensions are on the list: browsergate.eu
Email to a friend
Subject: LinkedIn is scanning your browser extensions
You should look at this. LinkedIn runs a scan on every Chrome user’s browser, checking for 6,222 specific extensions. No consent, nothing in their privacy policy about it.
It detects sales tools, job search extensions, ad blockers, VPNs, and extensions tied to religion and politics. They’ve been doing it since at least 2017 and expanded it massively in 2025.
The full breakdown with evidence from LinkedIn’s actual code: browsergate.eu
Notes for sharing
Every claim in these posts can be verified at browsergate.eu. The extension list is extracted from LinkedIn’s own JavaScript bundle (file: 5fdhwcppjcvqvxsawd8pg1n51.js, webpack chunk 905). The detection methods, extension IDs, and exfiltration mechanisms are documented with code snippets.
If someone challenges you, point them to the source code. That ends the argument.
11.2 - Join our mailing list
11.3 - Join WhatsApp Group
11.4 - Help make browsergate go public
Pick a pitch. Find a journalist. Copy, paste, send.
How to find the right journalist
Check the byline on any recent article about Big Tech, privacy, GDPR, or surveillance. That’s your person. Find their email on the publication’s staff page, their Twitter bio, or their personal website.
No specific journalist in mind? Call any newsroom and say: “I have a story tip for your tech or privacy reporter.”
The pitches
Pick the one that fits the journalist’s beat. Privacy reporter? Send the religion pitch. Business reporter? Send the competitive intelligence pitch. Tech reporter? Send the source code pitch.
For privacy and data protection reporters
Subject: LinkedIn scans browsers for religious and political extensions without consent
Hi [name],
LinkedIn silently scans every Chrome user’s browser for 6,222 installed extensions. The scan detects extensions that reveal religious belief (PordaAI, Deen Shield), political opinion (Anti-Zionist Tag, No more Musk), disability (a neurodivergence tool called “simplify”), and employment status (509 job search extensions covering 1.4 million users).
This is GDPR Article 9 special category data. No consent. No disclosure. LinkedIn’s privacy policy contains zero mention of extension scanning.
A sworn affidavit from LinkedIn’s Senior Manager of Software Engineering confirms the company “invested in extension detection mechanisms” deliberately.
Full technical evidence, legal analysis, and a searchable database of all 6,222 scanned extensions: browsergate.eu
Happy to connect you with the research team if you want more detail.
LinkedIn serves a JavaScript file to every Chrome user that contains a hardcoded array of 6,222 Chrome extension IDs. Each ID is paired with a specific internal file path that LinkedIn engineers mapped for detection.
The system uses three escalating methods: externally_connectable messaging, web_accessible_resources fetch, and DOM mutation detection. Results are exfiltrated via fireTrackingPayload(“AedEvent”) to LinkedIn’s li/track telemetry endpoint.
Anyone can verify this. Open linkedin.com, open dev tools, search for “fetchExtensions” in the JS bundle.
Full code analysis with snippets: browsergate.eu
Happy to connect you with the research team.
For business and competition reporters
Subject: LinkedIn scans browsers to identify users of competing sales tools
Hi [name],
LinkedIn scans every Chrome user’s browser for 209 sales and prospecting extensions, including Apollo, Lusha, and ZoomInfo (3.4 million combined users). Because LinkedIn knows each user’s name, employer, and role, this aggregates into company-level competitive intelligence: which companies use which sales tools.
LinkedIn then enforces Terms of Service clause 8.2.2, a blanket ban on all third-party tools, against identified users. The EU Digital Markets Act says that ban is illegal. LinkedIn expanded the scanning program from 461 extensions to 5,459 in the year following its DMA gatekeeper designation.
Sales Navigator generates roughly $1 billion per year. The extensions LinkedIn scans for are its competitors.
Full details: browsergate.eu
For regulatory and legal reporters
Subject: LinkedIn expanded browser surveillance 10x after DMA gatekeeper designation
Hi [name],
LinkedIn scanned 461 Chrome extensions in 2024. By December 2025, the number was 5,459. The 10x expansion correlates with LinkedIn’s designation as a DMA gatekeeper in September 2023 and the obligation to allow third-party tool access under Article 6(10).
The EU mandated interoperability. LinkedIn responded by building a surveillance system to detect and punish users of the exact tools the DMA was meant to protect.
Meanwhile, LinkedIn’s internal API (Voyager) handles 163,000 requests per second. The external API it offers to comply with DMA Article 6(10) handles 0.07 requests per second. That’s a 2.25 million to one disparity.
A Fairlinked e.V. case challenging LinkedIn’s practices is pending at LG München I.
Full legal analysis and technical evidence: browsergate.eu
For local news and general reporters
Subject: LinkedIn secretly scans 405 million users’ browsers — here’s how to check yours
Hi [name],
LinkedIn scans every Chrome user’s browser for 6,222 installed extensions without consent or disclosure. The scan covers sales tools, job search extensions, ad blockers, VPNs, and extensions tied to religion, politics, and disability. About 405 million users are affected.
Your audience can check if their extensions are on the list at browsergate.eu. The site includes a searchable database of every extension LinkedIn scans for, pulled directly from LinkedIn’s own source code.
Happy to arrange an interview with the research team behind the investigation.
Tips
Send one pitch per journalist. Don’t send all five.
Follow up once after 3 days. One follow-up, not three.
Don’t attach files. Link to browsergate.eu. Large attachments from strangers go to spam.
Don’t pitch two journalists at the same outlet. They talk to each other.
LinkedIn Faces First Court Action Over Covert Browser Scanning
Munich, 22. January 2026
Teamfluence Signal Systems OÜ, an Estonian software company behind the social selling platform Teamfluence, has filed a preliminary injunction against LinkedIn Ireland Unlimited Company and LinkedIn Germany GmbH at the Regional Court of Munich (Landgericht München I, Case No. 37 O 104/26).
The company is represented by Glade Michel Wirtz (GMW), the law firm that secured the first successful DMA-based private enforcement action last year, when the Mainz Regional Court ordered Google to stop favouring its own Gmail service during Android account setup.
The LinkedIn proceedings turn on alleged violations of the Digital Markets Act, EU competition law, and German data protection rules. The case is presided over by Dr. Michaela Althaus of the 37th Civil Chamber — the same judge who previously ruled against Google in a competition law injunction proceeding.
13 - Credits
Browsergate
is an investigation and campaign by
Fairlinked - Allianz für digitale Fairness e.V. c/o Postflex #9498 Emsdettener Str. 10 48268 Greven
Amtsgericht Steinfurt, VR 2059
Board Members: S.Morell | J. Liebling M. Sayed
Special Thanks
Jay-O
security researcher from the US who tipped us off - Thanks!