A class action complaint was filed on April 6, 2026, in the US District Court for the Northern District of California, bringing six causes of action under federal and California privacy law against LinkedIn Corporation, a subsidiary of Microsoft. The case, Ganan v. LinkedIn Corporation, Case 5:26-cv-02968, was filed by the Law Office of J.R. Howell on behalf of plaintiff Jeff Ganan, a sales professional based in Los Angeles County, and a proposed nationwide class of Chrome browser users who accessed linkedin.com within the United States.

The complaint alleges LinkedIn ran a covert browser surveillance system on every Chrome user who visited linkedin.com - one that probed for thousands of installed browser extensions, assembled a device fingerprint from dozens of hardware and software characteristics, and routed encrypted results through undisclosed third parties, all without disclosure in the platform's privacy policy and without user consent.

The technical architecture, piece by piece

According to the complaint, LinkedIn delivered a production JavaScript bundle - identified in inspected builds as a Webpack package referenced as chunk.905, with extension-detection logic appearing in a module identified as module 75023 - that contained a coordinated browser-interrogation system.

The system operated through two distinct mechanisms running in parallel. First, an active extension-probing system maintained a hardcoded list pairing thousands of 32-character browser-extension identifiers with specific internal file paths for each targeted extension. LinkedIn's code then attempted requests to URLs of the form chrome-extension://{id}/{file} to determine whether the targeted extension was installed. In inspected builds from late 2025 and early 2026, that list contained more than 5,000 entries and later more than 6,000 entries. The code could launch these probes in parallel or sequentially with a configurable delay between requests.

Second, a passive DOM-based detection mechanism - referred to in inspected materials as "Spectroscopy" - recursively traversed the document tree and inspected both text nodes and element attributes for strings beginning with chrome-extension://. When the code found such a string, it extracted the extension identifier embedded in the URL. This mechanism could detect extension traces even from extensions not on the hardcoded probe list, capturing any extension that had altered LinkedIn's page in any way.

Critically, according to the complaint, LinkedIn deferred portions of the scan to browser idle time using the requestIdleCallback API. This reduced the likelihood of a visible performance spike and made the process less noticeable. Failed requests were silently discarded. No visible user interaction was required before the scan ran.

The results fed into a broader fingerprinting system referred to in inspected materials as APFC - Anti-fraud Platform Features Collection - and also as DNA, or Device Network Analysis. According to the complaint, the APFC system collected numerous browser and device characteristics beyond extension data, including WebRTC-derived local IP information, CPU and memory characteristics, canvas output, WebGL characteristics, audio-context features, font data, battery information, screen properties, browser language and time zone, automation indicators, plugins and MIME types, and private-browsing indicators.

The resulting payload was serialized and encrypted using a public key identifier referred to as apfcDfPK, stored in the browser context on globalThis.apfcDf, and transmitted to telemetry destinations including LinkedIn's li/track endpoint and APFC-related collection endpoints. The encrypted fingerprint was then reinjected into every subsequent API request during the user's session through synchronization logic using internal feature flags named sync.apfc.headers and pemberly.tracking.apfc.network.interceptor.

A hidden channel to third parties

The complaint goes further than describing what LinkedIn collected from users. It also describes what LinkedIn allegedly passed to outside parties. According to the filing, LinkedIn embedded a hidden cross-origin iframe - rendered at zero by zero pixels, positioned off-screen, and marked hidden from assistive technologies - that operated during live user sessions. The iframe read and set its own cookies coded to appear as LinkedIn's first-party cookies, giving the outside recipient a persistent foothold in the user's live browser session without the user's knowledge.

LinkedIn passed session-linked values into this concealed environment including timestamps, a hashed session cookie, an application identifier, and a use-context string associated with anti-abuse review. The outside recipient's own public policies, according to the complaint, state that it may integrate such data into its own products, share it with other clients, and use it for behavioral modeling and industry benchmarking. LinkedIn users were never told this channel existed.

In representative inspected builds, LinkedIn's surrounding systems also included a hidden HUMAN Security iframe loaded from li.protechts.net and a separate fingerprinting script from merchantpool1.linkedin.com. As covered previously on PPC Land, LinkedIn integrated HUMAN Security into its advertising platform in May 2024 as a partner for invalid traffic detection. The BrowserGate investigation reveals that the same HUMAN Security integration operates at browser infrastructure level on every page load, for all users, not only in advertising contexts.

What the extension list reveals

The breadth of the extension target list sits at the center of the legal dispute. According to the complaint and the accompanying press release from Fairlinked e.V. - the Germany-registered nonprofit association of commercial LinkedIn users that conducted the underlying technical investigation - the scan list is not limited to tools that scrape or automate LinkedIn.

The list includes religious extensions that can identify a user's faith, political opinion extensions, tools built for neurodivergent users, hundreds of job search extensions that reveal whether someone is looking to leave their current position, sales and prospecting tools, and products that compete directly with LinkedIn's own commercial offerings. At the same time, the complaint states, LinkedIn's own representations elsewhere indicate that its abuse models do not treat any particular extension alone as dispositive, and that users were not acted against merely because they had a particular extension installed. This, the plaintiff argues, demonstrates the scan list reached far beyond what was reasonably necessary for narrow anti-abuse purposes.

As J.R. Howell, attorney for the plaintiff and proposed class, stated in the accompanying press release: "This system can identify a user's religion, their political views, whether they have a disability, and whether they are secretly looking for work. LinkedIn knows every user's real name and employer. This is not abstract data collection. These are identified people being profiled without their knowledge."

PPC Land's detailed technical investigation published on April 5, 2026 documented that LinkedIn scanned for 38 extensions in 2017, approximately 461 by 2024, and more than 6,000 by early 2026 - a growth of roughly 12 new entries per day during the expansion period.

The DMA dimension

The timing of the scan list's growth intersects with a separate set of concerns under the EU's Digital Markets Act. In 2023, the European Commission designated LinkedIn as a gatekeeper under the DMA, requiring the platform to open access to third-party tools. According to documents published by Fairlinked, LinkedIn's response has involved, in public, publishing two restricted APIs handling approximately 0.07 calls per second, while its internal Voyager API - which powers all LinkedIn's web and mobile products - handles 163,000 calls per second. Microsoft's 249-page compliance report to the European Commission mentions "API" hundreds of times but does not mention Voyager. Microsoft's compliance report states it cannot provide faster access. The disparity is 2.25 million to one, according to Fairlinked.

Behind the scenes, the investigation argues, LinkedIn simultaneously expanded its extension scan list from roughly 460 entries in 2024 to over 6,000 by early 2026, including over 200 products that compete directly with its sales tools. The DMA explicitly gives businesses the right to build on LinkedIn's platform. The BrowserGate investigation's central contention is that LinkedIn built a surveillance system to identify every user and company that tries to do exactly that.

LinkedIn's designation as a DMA gatekeeper sits within a broader context of European regulatory pressure on large platforms. The European Commission opened cloud gatekeeper probes into Amazon Web Services and Microsoft Azure in November 2025, expanding regulatory scrutiny across the Microsoft infrastructure stack.

Fairlinked has filed complaints with the European Commission and is coordinating with the Law Office of J.R. Howell on the US class action. The technical evidence has been preserved with RFC 3161 qualified timestamps, and BleepingComputer independently verified the scanning. LinkedIn has not denied any of the findings, according to the press release. Steven Morell, a Board Member of Fairlinked e.V., stated: "LinkedIn's members are people and businesses who love the platform and invest heavily into it. We are here to hold Microsoft accountable and make LinkedIn accessible, so that users are protected from abuse and the millions of businesses and individuals who invest daily into the platform get their return on investment."

Microsoft has described the findings as a "smear campaign" and called the scanning necessary security measures, according to Fairlinked.

The complaint brings six causes of action. The first is a violation of the Federal Electronic Communications Privacy Act, specifically the Federal Wiretap Act under 18 U.S.C. sections 2511 and 2520, which prohibits intentionally intercepting or procuring the interception of electronic communications. The plaintiff alleges LinkedIn's APFC code contemporaneously duplicated content-bearing page-context fields - including href, pathname, hash, and related location values that disclosed what users were doing during live sessions - and transmitted them through a simultaneous hidden channel to outside recipients.

The second cause of action is a violation of California's Comprehensive Computer Data Access and Fraud Act, California Penal Code section 502. The complaint argues that LinkedIn's code constituted a "computer contaminant" within the statutory definition because it was designed to record and transmit information without the user's intent or permission, overcame Chrome's natural code-based security architecture, and hid its existence. Chrome's own documentation warns that making extension resources web-accessible can make an extension detectable by websites and attackers - and LinkedIn, according to the complaint, deliberately exploited this to conduct mass enumeration.

The third cause of action is a violation of California Penal Code sections 638.50 through 638.51, the pen register and trap-and-trace device statute, which the California Invasion of Privacy Act makes actionable with statutory damages of $5,000 per violation. The fourth is a violation of California Penal Code section 631. The fifth is invasion of privacy under article I, section 1 of the California Constitution. The sixth is intrusion upon seclusion under California common law.

The complaint seeks compensatory and punitive damages, statutory damages of $5,000 per violation, and an injunction requiring LinkedIn to stop the scanning and delete collected data. The proposed Nationwide Class covers all Chrome browser users with a LinkedIn account who accessed linkedin.com from the United States during the class period. A California Class is defined in the alternative.

Chrome's security architecture and the bypass

One technical aspect the complaint addresses with particular specificity is how LinkedIn's code interacted with Chrome's extension architecture. Chrome's design separates ordinary websites from the internal code and resources of installed browser extensions - extensions run in isolated execution contexts and webpages cannot access them unless the developer explicitly declares resources as web-accessible. Chrome's own documentation warns this makes an extension potentially detectable by websites and attackers.

According to the complaint, LinkedIn exploited the narrow conditional exposure created by web_accessible_resources to infer facts about software in the user's browser environment that Chrome's architecture otherwise keeps separated from the host website. When an extension did not expose a probeable resource or permit direct contact, LinkedIn's code fell back to Spectroscopy - the DOM-scanning mechanism that inferred extension presence from traces left on the page after extensions interacted with it. The code also attempted direct extension communication as part of the same detection chain before falling back to resource probing. The complaint characterizes this layered fallback design as coded like malware: "it is nonpermissioned by the unsuspecting user - it is a computer contaminant the CDAFA protects against."

The role of Fairlinked and the investigation's foundations

The BrowserGate surveillance operation was published by Fairlinked e.V., Alliance for Digital Fairness - a newly founded nonprofit association of commercial LinkedIn users registered in Germany, representing businesses, professionals, and toolmakers who depend on the platform worldwide. Understanding who is behind the investigation matters for assessing the weight of its claims.

Fairlinked is not a cybersecurity firm or a research institution. It is an association of businesses and individuals who have a direct commercial stake in how LinkedIn governs access to its platform. Their complaints to the European Commission, their coordination with J.R. Howell, and their fundraising to pursue DMA enforcement against Microsoft all emerge from this position. The investigation, according to the press release, found that LinkedIn doxed the private home address of a Fairlinked member to the media - a detail Fairlinked offered as evidence of Microsoft's response to the pressure the investigation created.

The technical evidence itself, however, rests on a more objective foundation. The JavaScript bundle analysis is drawn from LinkedIn's own production code served to browsers in the ordinary course of site operation. The evidence pack was cryptographically timestamped using RFC 3161 qualified timestamps, a forensically recognized standard for establishing that documents existed in a particular form at a particular time. BleepingComputer - an independent cybersecurity publication with no stated affiliation to Fairlinked - separately verified the scanning. And a sworn affidavit from LinkedIn's own Senior Engineering Manager, Milinda Lakkam, filed in German court proceedings on February 6, 2026, acknowledged that LinkedIn "invested in extension detection mechanisms." LinkedIn has not publicly denied the specific technical findings described in either the investigation or the class action complaint.

Microsoft's response and the question of proportionality

LinkedIn's public defense, as characterized in the Fairlinked press release, rests on two arguments. First, that the scanning constitutes necessary security measures. Second, that a court case exists that supports LinkedIn's position. Fairlinked disputes both.

On the security justification: the complaint's own analysis acknowledges that LinkedIn had a genuine anti-abuse objective. The document does not claim that extension detection is inherently unlawful. The argument, rather, is one of proportionality. LinkedIn simultaneously maintained HUMAN Security bot detection, reCAPTCHA v3 Enterprise, and multiple other anti-fraud layers. The existence of those alternatives - already deployed in parallel - weakens the argument that probing 6,000 extensions, including pharmacy operations tools, delivery schedulers, and Amazon image downloaders, was reasonably necessary to protect the platform from scraping.

On the court case: according to Fairlinked, the case Microsoft cites concerns an account suspension. BrowserGate was never mentioned in those proceedings. A motion for a preliminary injunction was denied, but both plaintiffs have appealed and the litigation remains ongoing. Microsoft's characterization of that outcome as a victory, according to Fairlinked's statement, is not supported by the procedural record.

A pattern of data expansion at LinkedIn

The BrowserGate class action arrives inside a broader sequence of LinkedIn data policy changes that have accumulated since 2024. In November 2025, LinkedIn began using member data to train generative AI models, introducing opt-out controls that vary by region. Members in the European Economic Area and Switzerland could opt out under a legitimate interest legal basis. Members in Canada and Hong Kong faced additional data sharing with Microsoft for personalized advertising across the Microsoft family of companies starting the same date.

At the same time LinkedIn was expanding its declared data use for AI training, it was also building out its commercial data infrastructure for advertisers. The Company Intelligence API, launched in September 2025, allows certified attribution partners to access aggregated company-level engagement data. The Revenue Attribution Report, enhanced in July 2025 with Salesforce CRM integration, lets B2B marketers track how entire organizations move through the sales funnel linked to LinkedIn campaigns. In December 2024, LinkedIn added data-driven attribution modeling and company-level engagement tracking directly inside Campaign Manager.

Each of these capabilities builds outward from LinkedIn's declared data flows. The BrowserGate complaint contends that beneath this declared infrastructure sits an additional undisclosed layer - browser-level intelligence that was being collected, encrypted, and shared with third parties whose identities were never revealed to users.

The tension between anti-scraping policy and user rights

LinkedIn's public-facing terms of service prohibit third-party software, bots, browser plug-ins, and browser add-ons that scrape or automate its services. The platform has pursued that policy actively, including shutting down third-party applications such as Kleo and Taplio in mid-2025, citing policies against unauthorized data scraping. When LinkedIn launched its Member Post Analytics API in July 2025, the platform simultaneously cracked down on third-party apps that accessed creator data through unofficial channels. A LinkedIn spokesperson stated at the time: "Our teams at LinkedIn invest in technology and take action when necessary to detect and prevent our members' information from being scraped and used without their consent."

That statement takes on different dimensions in the context of the BrowserGate complaint. The plaintiff's position is not that LinkedIn has no right to protect its platform from scraping. Paragraph 20 of the complaint is explicit on this point: "Plaintiff does not challenge LinkedIn's right to police unlawful scraping, fraud, or abuse. Plaintiff challenges the covert, overbroad, and underdisclosed means by which LinkedIn implemented those efforts." The distinction the complaint draws is between a legitimate anti-abuse purpose and a surveillance system that sweeps up extension data related to religion, disability, political views, and competitor tools far beyond anything a narrowly tailored security measure would require.

In Europe, LinkedIn already removed group-based ad targeting in 2024 following a complaint to the European Commission that the feature could enable indirect targeting based on sensitive data categories. The BrowserGate case now alleges that LinkedIn was simultaneously collecting exactly those sensitive categories - religion, political opinion, disability status - through its extension scanning system, without disclosing it.

What the session fingerprint actually tracks

The complaint gives particular technical attention to what the APFC fingerprint contains and how it persists. The system is not a one-time snapshot. Once LinkedIn assembled and encrypted the fingerprint on the initial page load, it stored the resulting value in the browser context and reinjected it into every subsequent API request during that session through SyncCollectionHandler logic. That meant every search, every profile view, every message action, and every feed load during the session carried the same device-linked identifier alongside it.

What did the fingerprint contain at the content level? The complaint identifies that LinkedIn's APFC code collected a feature internally labeled "location" which included protocol, hostname, port, origin, href, hash, and pathname. These fields, the complaint argues, went beyond abstract routing information. Href, pathname, and hash values disclose the specific LinkedIn page being viewed, the section of the platform being used, the nature of the user's activity during the session, and contextual information about what the user was requesting. The complaint characterizes this as content rather than metadata. When those fields are collected during a live session and simultaneously made available to outside recipients through the concealed iframe channel, the claim under the Federal Wiretap Act's prohibition on intercepting communications in transit follows.

Internal feature flags named sync.apfc.headers and pemberly.tracking.apfc.network.interceptor confirmed, according to the complaint, that this was a designed-in network-level signaling system rather than a passive background measurement. It was built to track the same browser across repeated requests throughout a session - not to fire once and stop.

Statutory exposure and the path to trial

The damages arithmetic in privacy class actions can become substantial quickly, and the BrowserGate complaint is no exception. The California Invasion of Privacy Act, under Penal Code section 637.2, provides statutory damages of $5,000 per violation without requiring proof of actual harm. The complaint brings three separate California statutory claims, each potentially generating independent per-violation exposure. If the class is certified nationwide - which LinkedIn's own user agreement arguably supports by selecting California law for all disputes - the number of putative class members, defined as all Chrome users with LinkedIn accounts who accessed the site from the US during the class period, could reach into the tens of millions.

The complaint also seeks punitive damages under both federal and California law, citing LinkedIn's conduct as willful, knowing, malicious, and oppressive. An injunction requiring LinkedIn to halt the scanning and delete collected fingerprint data is requested alongside the monetary relief. Courts have granted such injunctions in comparable cases. The Honey/PayPal class action, which shares the Northern District of California as its venue and the Computer Fraud and Abuse Act as one of its legal theories, saw a federal judge deny PayPal's motion to compel arbitration in November 2025, allowing that case to proceed in federal court - a procedural development that may inform how LinkedIn responds to this complaint.

Choice of law is addressed directly in the complaint at length. LinkedIn's own user agreement selects California law for disputes from users outside the designated countries, which encompasses most of the world. The complaint uses this against LinkedIn, arguing that LinkedIn itself contractually conceded the appropriateness of California law for class-wide claims. This would apply California's Penal Code privacy statutes to the Nationwide Class, not just the California Class.

What comes next

LinkedIn has not yet formally responded to the complaint. Under the Federal Rules of Civil Procedure, a defendant typically has 21 days to respond after service. Possible responses include a motion to dismiss, which would argue legal deficiencies in the complaint, or a motion to transfer venue, or both. LinkedIn's legal team may also revisit the arbitration clause in its user agreement - though the complaint addresses this preemptively by invoking the forum selection clause in LinkedIn's own contract, which points to federal court in the Northern District of California.

Fairlinked, meanwhile, is coordinating the European regulatory track alongside the US litigation. Complaints have been filed with the European Commission and dialogue is ongoing around what market access under the DMA should actually mean in practice. Fairlinked stated it depends on donations and individual sponsors to pursue enforcement. The organization is raising funds explicitly to continue the DMA compliance challenge against Microsoft.

For LinkedIn's advertising customers and the wider B2B marketing ecosystem, the case poses questions that will not be resolved quickly. LinkedIn's platform is the dominant professional identity graph in existence. Every advertiser using LinkedIn Campaign Manager, every recruiter accessing LinkedIn Talent Solutions, and every sales team using LinkedIn Sales Navigator operates within a platform that now faces litigation alleging it was, simultaneously, running a covert surveillance system on every page load. The resolution of that claim - and what it means for how the platform handles browser-level data going forward - will matter to anyone whose marketing strategy depends on LinkedIn's audience data.

Timeline

  • 2017: LinkedIn scanned approximately 38 browser extensions, according to Fairlinked's technical investigation
  • 2023: European Commission designates LinkedIn as a gatekeeper under the Digital Markets Act, requiring platform openness to third-party tools
  • May 2024: LinkedIn integrates HUMAN Security into its advertising platform for invalid traffic detection
  • June 2024: LinkedIn removes group-based ad targeting in Europe following DSA complaint
  • 2024: LinkedIn's extension scan list reaches approximately 461 entries
  • December 17, 2024: LinkedIn introduces data-driven attribution modeling and company engagement tracking inside Campaign Manager
  • September 23, 2025: LinkedIn launches Company Intelligence API for B2B attribution tracking
  • July 8, 2025: LinkedIn launches Member Post Analytics API; simultaneously shuts down third-party apps including Kleo and Taplio
  • July 30, 2025: LinkedIn enhances Revenue Attribution Report with company-level measurement and Salesforce CRM integration
  • November 2025: European Commission opens cloud gatekeeper probes into Amazon Web Services and Microsoft Azure
  • November 3, 2025: LinkedIn begins using member data to train generative AI models globally, with regional opt-out controls
  • December 2025: LinkedIn's extension scan list reaches 5,459 entries
  • February 6, 2026: LinkedIn Senior Engineering Manager Milinda Lakkam files a sworn affidavit in German court proceedings acknowledging LinkedIn "invested in extension detection mechanisms"
  • February 19, 2026: Fairlinked's evidence package is hashed and timestamped by freetsa.org in Wurzburg, Germany, establishing the scan was active
  • February 2026: LinkedIn's extension scan list reaches 6,167 entries, growing at approximately 12 new extensions per day
  • March 9, 2026: Fairlinked publishes the full BrowserGate investigation publicly
  • April 5, 2026: PPC Land publishes detailed technical anatomy of the BrowserGate system
  • April 6, 2026: Class action complaint Ganan v. LinkedIn Corporation (Case 5:26-cv-02968) filed in the US District Court for the Northern District of California; press release embargoed until 5:00 PM PST
  • April 7, 2026: Fairlinked issues formal press release announcing the US class action from Santa Monica and Munich

Summary

Who: Plaintiff Jeff Ganan, a Los Angeles County sales professional, represented by the Law Office of J.R. Howell, filed the complaint on behalf of a proposed nationwide class of Chrome browser users with LinkedIn accounts. The defendant is LinkedIn Corporation, a Delaware corporation and Microsoft subsidiary headquartered in California. Fairlinked e.V., a Germany-registered nonprofit of commercial LinkedIn users, conducted the underlying technical investigation and is coordinating with US counsel.

What: A 45-page class action complaint alleges LinkedIn ran a covert browser surveillance system probing Chrome users for over 6,000 installed extensions, assembling detailed device fingerprints, routing encrypted session data to undisclosed third-party companies, and building session-persistent identifiers that were reinjected into every subsequent API request - all without disclosure in LinkedIn's privacy policy and without user consent. Six causes of action span the Federal Wiretap Act, California's computer fraud statute, California's pen register law, California's wiretapping statute, the California Constitution's privacy clause, and the common law tort of intrusion upon seclusion.

When: The complaint was filed on April 6, 2026. The press release was issued on April 7, 2026. The underlying conduct is described as ongoing at the time of filing.

Where: The case was filed in the US District Court for the Northern District of California, Case 5:26-cv-02968. The alleged conduct occurred on linkedin.com affecting Chrome browser users across the United States. In Europe, Fairlinked has separately filed complaints with the European Commission.

Why: The complaint alleges LinkedIn used an anti-abuse justification to conduct surveillance far broader than any narrow security purpose would require. The scan list encompassed religious extensions, disability tools, political opinion extensions, and competitor products. The complaint further alleges this system expanded dramatically after the EU's Digital Markets Act required LinkedIn to open its platform to third-party tools - effectively surveilling the businesses and users who tried to exercise rights the regulation was designed to protect.

Share this article
The link has been copied!