LinkedIn knows what browser extensions you’re running. Not because you told it. Not because you opted in. Because it looked.
That’s the central allegation in a new report from Alexander Hanff, a privacy researcher and technologist who has spent years scrutinizing how major platforms interact with user devices. His findings, compiled under the banner “BrowserGate,” accuse Microsoft-owned LinkedIn of secretly scanning users’ browsers to detect installed extensions, collecting granular device data, and doing so without meaningful consent. If the claims hold up, LinkedIn may have one of the largest corporate surveillance operations hidden in plain sight — running quietly every time a user loads the platform.
The report, first covered by TechRadar, doesn’t mince words. Hanff calls it “one of the largest corporate espionage and data breach scandals in digital history.” That’s a bold claim for a platform most people associate with job hunting and corporate humblebrags. But the technical evidence he presents is detailed enough to warrant serious attention from privacy advocates, regulators, and the roughly one billion people who use LinkedIn worldwide.
Here’s what Hanff says he found. LinkedIn’s front-end code allegedly contains scripts that enumerate browser extensions installed on a visitor’s device. Extension fingerprinting, as it’s known in security circles, is a technique that can identify specific tools a user has installed — ad blockers, VPNs, password managers, accessibility tools, developer utilities, even mental health or political organizing plugins. Individually, knowing someone uses an ad blocker might seem trivial. Collectively, a list of extensions can create a remarkably precise fingerprint of a user, one that persists even when cookies are cleared or browsers are switched.
The technique isn’t new. Researchers have documented extension fingerprinting for years, and it’s been used in various forms by advertising networks and analytics firms. What makes the LinkedIn allegation different is scale and context. LinkedIn isn’t a sketchy ad network. It’s a professional platform owned by Microsoft, governed by GDPR in Europe, and trusted by hundreds of millions of users with sensitive career and personal data. The expectation of privacy — or at least informed consent — is higher.
And the data collection allegedly goes beyond extensions. Hanff’s report claims LinkedIn also gathers detailed device information: screen resolution, installed fonts, hardware configurations, and other attributes commonly associated with browser fingerprinting. Combined with extension data, this creates a composite profile that can track users across sessions and potentially across devices, all without relying on traditional cookies that users can see and delete.
LinkedIn has not issued a detailed public rebuttal of the BrowserGate report’s specific technical claims as of this writing. The company’s privacy policy does reference the collection of device and usage data, but critics argue the language is too vague to constitute informed consent for the kind of granular scanning Hanff describes. There’s a meaningful difference between telling users you collect “device information” and telling them you’re cataloging their browser extensions one by one.
The legal implications could be significant. Under the EU’s General Data Protection Regulation, any processing of personal data requires a lawful basis — typically consent or legitimate interest. Extension fingerprinting is difficult to justify under legitimate interest because it goes well beyond what’s necessary to deliver the service a user has requested. The ePrivacy Directive, which governs electronic communications across Europe, is even more explicit: accessing or storing information on a user’s device generally requires prior consent, with narrow exceptions for what’s strictly necessary to provide the service. Scanning for browser extensions doesn’t obviously qualify.
In the United States, the legal terrain is patchier but shifting. California’s Consumer Privacy Act and its successor, the CPRA, give residents rights over their personal data and require businesses to disclose specific categories of information collected. Several other states have enacted or are considering similar legislation. If LinkedIn is fingerprinting browsers without disclosure, it could face regulatory scrutiny on both sides of the Atlantic.
So why would LinkedIn do this? Several theories circulate. The most charitable interpretation is anti-fraud and bot detection. Browser fingerprinting is a legitimate tool for identifying automated accounts and preventing scraping — both persistent problems for LinkedIn. Detecting certain extensions could help flag suspicious activity. But that rationale has limits. You don’t need to catalog every extension to spot bots, and the breadth of data collection Hanff describes appears to exceed what fraud prevention would require.
A less charitable reading points to competitive intelligence and advertising optimization. LinkedIn’s advertising business has grown substantially, and detailed user profiling makes ad targeting more precise — and more profitable. Knowing that a user has a specific CRM extension installed, for example, could signal purchasing intent for enterprise software. That’s gold for B2B advertisers. Microsoft reported LinkedIn revenue of $16.4 billion for fiscal year 2024, with advertising and premium subscriptions driving growth. The financial incentive to collect more data, not less, is obvious.
There’s also the question of what happens to this data once collected. Does it stay within LinkedIn? Is it shared with Microsoft’s broader advertising infrastructure? Is it accessible to third-party partners? The BrowserGate report raises these questions without definitive answers, but the mere possibility is enough to concern privacy professionals. Data collected for one purpose has a way of finding other uses, especially within large corporate structures where different divisions have different priorities.
The timing of these revelations is notable. Public trust in big tech’s data practices is already low. Meta faces ongoing scrutiny over its tracking practices. Google has spent years waffling on its plan to deprecate third-party cookies in Chrome, a decision with enormous implications for the tracking industry. Apple has made privacy a core marketing message, restricting cross-app tracking on iOS and limiting fingerprinting in Safari. Against this backdrop, allegations that LinkedIn is quietly fingerprinting browsers feel particularly tone-deaf.
Browser vendors themselves have been cracking down on fingerprinting techniques. Firefox and Brave block many common fingerprinting vectors by default. Chrome has introduced some protections, though critics argue Google’s own advertising business creates a conflict of interest. Safari’s Intelligent Tracking Prevention specifically targets fingerprinting. If LinkedIn’s scripts are circumventing or working around these protections, that raises additional technical and ethical questions.
Hanff isn’t an unknown figure in privacy circles. He’s testified before the European Parliament on privacy matters and has been involved in advocacy around the ePrivacy Regulation for years. His work on cookie consent and tracking technologies has influenced regulatory thinking in the EU. That lends his findings a degree of credibility that a random blog post wouldn’t carry. But independent verification of the specific technical claims is still needed. Security researchers will likely attempt to replicate his findings in the coming weeks, and their conclusions will matter enormously.
The broader pattern here is worth examining. Extension fingerprinting represents a category of surveillance that operates below the threshold of most users’ awareness. People understand cookies — or at least they understand the concept after years of consent banners. They understand that apps request permissions. But the idea that a website can silently inventory your browser’s installed tools? That’s unfamiliar territory for most, and it exploits a gap between technical capability and public understanding.
This gap is precisely what regulators are trying to close. The proposed ePrivacy Regulation, which has been stalled in EU legislative negotiations for years, would strengthen rules around device fingerprinting and similar techniques. In the U.S., the FTC has signaled increased interest in dark patterns and undisclosed data collection. But regulation moves slowly, and technology moves fast. By the time rules catch up, the data has already been collected.
For LinkedIn users — particularly those in sensitive industries like law, healthcare, government, and journalism — the implications are immediate. A lawyer using a whistleblower protection extension. A journalist with a source-protection tool installed. A government employee running a VPN. The extensions people install reveal their concerns, their work, and sometimes their vulnerabilities. That information in the wrong hands, or even in the right hands used carelessly, creates real risk.
What should users do in the meantime? The practical advice is straightforward but limited. Use browsers with strong anti-fingerprinting protections. Minimize installed extensions. Use dedicated browser profiles for different activities. But these are workarounds, not solutions. The burden shouldn’t fall on individual users to defend against surveillance by platforms they’ve chosen to trust.
And that’s the core issue. Trust. LinkedIn’s value proposition is built on professional trust — trust that your data will be handled responsibly, that your profile serves your interests, that the platform operates transparently. If the BrowserGate allegations prove accurate, that trust has been violated in a way that’s difficult to repair with a policy update or an apologetic blog post.
Microsoft, LinkedIn’s parent company, has positioned itself as a responsible steward of data and a champion of privacy relative to some competitors. CEO Satya Nadella has spoken repeatedly about earning customer trust. If a Microsoft-owned platform is running covert browser surveillance, it undermines that narrative — not just for LinkedIn, but for Microsoft’s entire portfolio of enterprise and consumer products.
The story is still developing. Hanff has indicated he intends to file formal complaints with data protection authorities in multiple jurisdictions. Regulatory investigations, if they materialize, could take months or years. In the meantime, the technical community will scrutinize LinkedIn’s code, and the company will face mounting pressure to provide a transparent, detailed response.
One thing is already clear. The era of quiet data collection — of burying aggressive tracking in vague privacy policies and hoping no one looks too closely — is ending. Not because companies have suddenly developed scruples, but because researchers, regulators, and an increasingly informed public are paying attention. LinkedIn may be the latest company caught in that spotlight. It won’t be the last.
WebProNews is an iEntry Publication