LinkedIn Has Been Secretly Scanning Your Browser Extensions and Sending Your Data To Israel
An investigation by Fairlinked e.V. reveals LinkedIn injects JavaScript that probes for 6,222 browser extensions, exposing users' religious beliefs, political views, disability status, and hidden job searches to the platform — with no disclosure and no consent.
- LinkedIn scans Chrome browsers for 6,222 extensions via hidden JavaScript — up from 461 in 2024
- Detected extensions expose users’ religious beliefs, political views, disability status, and covert job searches
- EU regulators are investigating under GDPR and DMA as legal proceedings unfold in Germany
Every time someone visits LinkedIn in Chrome, a piece of JavaScript runs in their browser that most people never see — and never consented to. It fires thousands of requests probing for specific extensions, reads the contents of the page, and builds a detailed profile of that user’s digital habits. It is called BrowserGate, and the evidence behind it is extensive, timestamped, and now the subject of formal legal proceedings in Germany.
The investigation, conducted by Fairlinked e.V., a European advocacy organization for professional LinkedIn users and independent toolmakers, found that LinkedIn’s website injects JavaScript into every Chrome user’s browser upon visiting linkedin.com. The code lives inside webpack chunk 905 — a 2.7 MB bundle that contains three cooperating surveillance systems: an active extension detection engine, a passive DOM-scanning module called Spectroscopy, and a device fingerprinting engine collecting 48 distinct browser characteristics.
The active detection method fires up to 6,222 fetch() requests simultaneously against chrome-extension:// URLs — attempting to load known files from each extension a user may have installed. If a request resolves, the extension is marked as present. The passive method walks the entire DOM tree, hunting for extension identifiers embedded in page text and attributes. Both results feed into LinkedIn’s telemetry pipeline, encrypted with an RSA public key, and sent to li/track and /platform-telemetry/li/apfcDf.
The scan list has grown at a remarkable rate. In 2017 it covered 38 extensions. By 2024 there were 461. In February 2026, the list reached 6,222 separate products — adding roughly 12 new extensions per day over the preceding three months.
What LinkedIn’s Browser Extension Scanning Reveals About You
The implications of scanning that many extensions are significant. Fairlinked’s evidence pack lists categories of data that LinkedIn can infer from what a user has installed: religious beliefs, political opinions, disability status, and covert job-search activity.
On the religious side, extensions like PordaAI — which blurs content deemed haram — and Deen Shield are among those on the scan list. For political orientation, the list includes markers like “Anti-woke,” “Anti-Zionist Tag,” and “No more Musk.” For disability and neurodivergence, the extension “Simplify” — designed to improve usability for neurodivergent users — is on the list. The scan also detects 509 separate job-search extensions, raising the particularly sensitive question of who is quietly looking for work while their current employer can see their LinkedIn profile.
The system does not stop at individuals. Aggregated scans produce detailed maps of which software tools employees at specific organizations use without their employer’s knowledge — mapping competitive tool adoption across companies, institutions, and government agencies. Extensions for tools like Apollo, Lusha, and ZoomInfo are catalogued alongside religious and political indicators.
None of this is disclosed in LinkedIn’s privacy policy. No user has been asked for consent. The scan runs silently in the background every time a Chrome-based browser visits the platform.
LinkedIn Browser Extension Scanning Faces GDPR and DMA Reckoning
The legal exposure is substantial. Under GDPR, processing data that infers religious belief, political opinion, or disability status requires explicit consent and a valid lawful basis. The data collected by LinkedIn’s scan may constitute such special-category data — without either. The EU’s Digital Markets Act, under which Microsoft and LinkedIn were designated gatekeepers in 2024, requires gatekeepers to provide business users and third parties with free, real-time access to user data — something Fairlinked argues LinkedIn has systematically violated by restricting API access while conducting its own far more intrusive surveillance.
Perhaps the most striking piece of evidence is a sworn affidavit submitted to a German court in February 2026 by a LinkedIn Senior Manager of Software Engineering. Under penalty of perjury, the manager acknowledged that LinkedIn has “invested in extension detection mechanisms without which LinkedIn would not have been able to trace the cause of service impacts and outages.” A separate passage in the same affidavit admits that LinkedIn’s systems “may have taken action against LinkedIn users that happen to have [redacted] installed” — a direct contradiction of LinkedIn’s public position that extension data is not used in its systems.
Fairlinked e.V. has filed legal proceedings against LinkedIn in Munich. EU regulators are conducting a fact-finding initiative. LinkedIn and Microsoft have not issued a public response to the allegations as of April 2026.
LinkedIn is not the only platform that has run into legal trouble over unauthorized data collection from its users’ own software environments. In March 2026, a federal judge granted Amazon a preliminary injunction blocking Perplexity’s AI browser agent from accessing Amazon’s platform — the court found that user permission to access a website does not equal platform authorization. Both cases turn on the same principle: a platform cannot unilaterally expand its access to a user’s digital environment because that environment happens to be within reach of the browser. BrowserGate extends that argument into a new domain — not AI agents this time, but invisible JavaScript running silently in the background of one of the world’s most visited websites.
The technical evidence — a timestamped JavaScript bundle, a cryptographically verified evidence pack, and a sworn court admission — makes this different from most privacy complaints. BrowserGate is not an allegation. It is a documented piece of code running on one of the most visited websites in the world, and it has been running for years.
