A detailed technical investigation published this month exposes LinkedIn's hidden browser scanning system as a multi-layer architecture that goes far beyond extension detection, collecting 48 hardware and software characteristics per session, routing encrypted data through third-party cybersecurity firms, and building company-level intelligence profiles of organisations across 200 countries - without disclosing any of this in its privacy policy.

The documents published by Fairlinked e.V., the European association of commercial LinkedIn users behind the BrowserGate investigation, include a complete technical breakdown of the JavaScript code, an evidence pack containing a cryptographically timestamped archive, and a sworn affidavit from LinkedIn's own senior engineering manager filed in German court proceedings. Taken together, they present the most detailed public account yet of how the system was built, what it collects, and why the investigators believe it crosses into criminal territory in at least two jurisdictions.

The JavaScript file at the centre of it

Every technical claim in the BrowserGate investigation traces back to a single source: a JavaScript bundle served by LinkedIn to every Chrome user who visits the site. According to the Fairlinked investigation, the file is identified internally as Webpack chunk ID "chunk.905," extension scan module 75023, and weighs approximately 2.7 megabytes across 13,159 lines of minified code. The framework is Ember.js, registered under globalThis.webpackChunk_ember_auto_import_.

Within that bundle, at line 9571 character offset 443, sits a hardcoded array. Each entry in the array has two fields: a 32-character Chrome Web Store extension ID and a known internal file path within that extension's package - things like popup.html, icon.png, or manifest.json. According to the investigation, someone at LinkedIn has individually identified a specific web-accessible resource for each of the 6,222 extensions in the list. This is not automated scraping of extension IDs. It is a curated target list, maintained and expanded over time.

The filename of the JavaScript bundle changes with each deployment, as it is derived from the content hash. But the string literals, endpoint URLs, module exports, and detection functions remain searchable by keyword. Anyone with Chrome developer tools can open LinkedIn, locate the largest JavaScript bundle at roughly 2.7 megabytes, and search for the string fetchExtensions or any Chrome extension ID to find the system.

Three detection stages, each catching what the last misses

The detection architecture operates as a three-stage fallback chain, with each layer designed to catch extensions that the previous one cannot reach. According to the Fairlinked technical documentation, the first stage is direct communication: the code attempts to contact an extension using Chrome's externally_connectable messaging API. If the extension developer has disabled this channel in their manifest.json, detection fails and the system moves to stage two.

Stage two is resource probing, using the browser's fetch() API to request a known internal file from each extension. According to the investigation, LinkedIn tests all 6,222 extensions through this method using Promise.allSettled(), which fires all requests simultaneously. A fulfilled response means the extension is installed. A rejected response means it is not. An alternative sequential mode, controlled by a parameter called staggerDetectionMs, introduces a configurable delay between each probe - slowing the scan down enough to reduce its visibility in network monitoring tools.

Stage three - the one LinkedIn calls "Spectroscopy" - operates differently. Rather than querying extension files, it walks the entire DOM tree of the page, inspecting every text node and element attribute for the string "chrome-extension://." Any extension that has injected elements, modified attributes, or added scripts to the page leaves traces in the DOM that Spectroscopy extracts. The 32-character extension ID is pulled from the URL fragment. According to the investigation, a VPN that modifies even a single pixel of the rendered page is detectable through this method.

The two methods complement each other in a specific way. Active Extension Detection via fetch() can identify extensions that are installed but have injected nothing into the current page. Spectroscopy catches extensions that actively modify the page but may not be in LinkedIn's hardcoded list. Together, according to the investigation, they cover both cases.

A fingerprint carrying 48 data points

Extension detection feeds into a broader device fingerprinting system that the investigation identifies internally as APFC - Anti-fraud Platform Features Collection - also referred to as DNA, for Device Network Analysis. According to the technical documentation, the system collects 48 distinct browser and device characteristics, categorised as follows.

Hardware identifiers include CPU core count (hardwareConcurrency), available device memory (deviceMemory), screen resolution and colour depth, and audio hardware characteristics captured through an AudioContext fingerprint using oscillator, compressor, and analyser nodes. Network characteristics include local IP address via WebRTC, connection type, downlink speed, and round-trip time. Canvas and WebGL fingerprints are captured through rendered hidden elements; the WebGL collection alone gathers 65 separate parameter values alongside renderer and vendor strings. The system also enumerates installed system fonts, connected cameras, microphones, and speakers through the browser's enumerateDevices API, and records battery level, charging status, and estimated discharge time.

One entry in the collection stands out. According to the investigation, feature number 23 in the APFC list is doNotTrack - the browser setting through which a user signals they do not wish to be tracked. The investigation documents that LinkedIn records this setting but then excludes it from the fingerprint hash using a parameter at line 9512: excludes: { doNotTrack: true }. The data is collected. It is simply not included in the fingerprint used for identification. LinkedIn records that a user asked not to be tracked, then tracks them.

Once the 48 characteristics and extension scan results are combined, the payload is serialised to JSON and encrypted using an RSA public key identified as apfcDfPK. The encrypted payload is transmitted to three endpoints: linkedin.com/li/track, /platform-telemetry/li/apfcDf, and /apfc/collect. It is then stored in globalThis.apfcDf and injected as an HTTP header into every subsequent API request made during the session. Every search, every profile view, every connection request carries the encrypted fingerprint as a header for the duration of the visit.

Third-party data flows

Beyond LinkedIn's own endpoints, the BrowserGate investigation identifies three external services that receive data as part of the same JavaScript bundle.

The first is HUMAN Security, formerly known as PerimeterX, described in the investigation as an American-Israeli cybersecurity firm. According to the documentation, LinkedIn loads a hidden iframe from li.protechts.net that is 0 by 0 pixels in size, positioned at left: -9999px, and marked aria-hidden="true." The iframe passes a timestamp, the page's tree ID, a hashed session cookie (bcookie), and a hardcoded app ID (PXdOjV695v in production). It reads and sets PerimeterX cookies - _px3, _pxhd, _pxvid, pxcts - through cross-origin postMessage. LinkedIn integrated HUMAN Security into its advertising platform in May 2024 as a partner for invalid traffic detection. The BrowserGate investigation reveals that the same HUMAN Security integration operates at the browser infrastructure level on every page load, for all users, not only in advertising contexts.

The second external recipient is a service called Merchant Pool, reached via merchantpool1.linkedin.com. According to the investigation, a separate fingerprinting script loads from this domain, passing the user's session cookie and a hardcoded instance ID. The third is Google reCAPTCHA v3 Enterprise, which LinkedIn loads and executes on page load with the action "onPageLoad," collecting the resulting token silently.

None of these data flows are disclosed in LinkedIn's privacy policy.

The extension categories and what they reveal

The 6,222 extensions in the scan list break into identifiable categories, each revealing a different type of information about the user. According to the Fairlinked analysis, 762 of the extensions are LinkedIn-specific productivity tools, the exact category the Digital Markets Act was designed to protect by requiring LinkedIn to allow third-party interoperability.

Sales intelligence competitors account for 209 entries. This includes Apollo (600,000 users), Lusha (300,000 users), ZoomInfo (300,000 users), and Kaspr, among others. LinkedIn's Sales Navigator product generates approximately $1 billion per year in revenue. Because every LinkedIn user account is tied to a real employer and job title, detecting competitor tools on a user's browser allows LinkedIn to map which companies are evaluating or actively using rival sales intelligence products. According to the investigation, LinkedIn has already used data obtained through this scanning to send enforcement threats to users of third-party tools.

Job search extensions account for 509 entries with a combined user base of 1.4 million people. Detecting these on the browser of someone whose profile shows a current employer means LinkedIn knows that person is quietly looking for work - on the same platform where their manager and colleagues are active. The investigation notes that employers are legally prohibited from asking about employment intentions in most jurisdictions, yet LinkedIn has built a system that infers exactly this information without any disclosure.

Religious extensions on the list include PordaAI, described in the Chrome Web Store as "Blur Haram objects in Images and Videos, Real-time AI for Islamic values," with approximately 5,000 users, and Deen Shield, described as "Blocks haram & distracting sites, Quran Home Tab." Detecting either extension on a named user's browser is, according to the investigation's legal analysis, processing data that reveals religious belief - a category that GDPR Article 9 prohibits collecting without explicit consent.

Political extensions include Anti-woke ("Shows warnings about woke companies"), Anti-Zionist Tag ("Adds a tag to the LinkedIn profiles of Anti-Zionists"), No more Musk ("Hides digital noise related to Elon Musk," approximately 19 users), and Political Circus ("Politician to Clown AI Filter," approximately 7 users). Political opinions are also special-category data under Article 9.

Disability and neurodivergence tools include "simplify," described explicitly as a tool "for neurodivergent users," with approximately 79 users. Detecting this extension is, under the CJEU's interpretation in the Lindenapotheke case (C-21/23, October 2024), processing health data regardless of the controller's stated intent.

Security and privacy tools include Malwarebytes Browser Guard (10 million users), KeepSolid VPN Unlimited, Zoho Vault, and LinkedIn Profile Privacy Shield. Mapping which employees at which organisations use security tools reveals those organisations' security posture - sensitive information for enterprise IT teams and government agencies alike.

The sworn affidavit and what it admits

The evidence pack published by Fairlinked includes what the investigation describes as its most significant single document: an affidavit filed in German court proceedings by Milinda Lakkam, identified as Senior Manager of Software Engineering and Machine Learning at LinkedIn Corporation. The document was filed on February 6, 2026, in Mountain View, California, and is referenced as court exhibit Anlage AG 4. Lakkam identifies herself as the person at LinkedIn responsible for "developing and implementing LinkedIn's scraping-related multi-layered technical anti-abuse systems."

Paragraph 3 of the affidavit, according to the Fairlinked evidence pack, states: "LinkedIn has invested in extension detection mechanisms without which LinkedIn would not have been able to trace the cause of service impacts and outages." Paragraph 5 repeats the admission in similar terms. These statements confirm that extension detection is a deliberate, sustained engineering investment, not an incidental technical by-product.

The investigation draws attention to a tension within paragraph 4 of the same document. The affidavit states both that LinkedIn's models "do not take the use of any particular browser extension(s) into account" and, in the same paragraph, that LinkedIn's systems "may have taken action against LinkedIn users that happen to have [XXXXXX] installed." If the models do not consider which extensions are present, it is not clear how targeted enforcement actions against specific extension users could occur. The investigation presents this as an internal contradiction in a sworn document.

The investigation's legal analysis identifies violations across six distinct legal frameworks. The most severe, according to the BrowserGate report, is GDPR Article 9, which prohibits processing data revealing racial or ethnic origin, political opinions, religious beliefs, health data, and related categories. The prohibition is not conditional on intent. The CJEU confirmed in Meta Platforms v. Bundeskartellamt (Case C-252/21, July 2023) that browsing data and app usage data qualify as special-category data when they allow inference of protected characteristics. The maximum penalty under Article 83(5) is €20 million or 4% of global annual turnover, whichever is higher. Microsoft's fiscal year 2025 revenue was $281.72 billion. Four percent of that figure is $11.27 billion.

GDPR Article 6 requires a legal basis for any processing of personal data. The investigation argues that none of the six available bases apply: no consent was obtained, extension scanning is not necessary to provide the LinkedIn service, legitimate interest cannot be invoked for Article 9 data, and no other basis is relevant. GDPR Articles 13 and 14 require transparent disclosure of processing at the time of collection. LinkedIn's privacy policy contains no mention of extension scanning, constituting a separate violation.

The ePrivacy Directive - the regulation behind cookie consent banners across the web - requires explicit consent before accessing information stored on a user's terminal device. Each of the 6,222 fetch requests to chrome-extension:// URLs is, by the letter of that directive, an access to information on the user's device. Germany has transposed this requirement as TTDSG section 25, which carries penalties of up to €300,000 per violation.

German criminal law creates additional exposure. Section 202a of the Strafgesetzbuch criminalises unauthorised data access, carrying up to three years imprisonment. The German Federal Court of Justice confirmed in case 5 StR 614/19 that even security measures which can be quickly circumvented qualify as "besondere Sicherung" (special security measures). When an extension developer sets externally_connectable to disabled in their manifest.json, that is an explicit security boundary. LinkedIn's three-stage detection system routes around it. Sections 202b and 202c of the same code address interception of data and preparation for data espionage respectively, and section 23 of the Geschäftsgeheimnisgesetz covers trade secret theft - which the investigation argues applies to each of the 6,222 software vendors whose customer lists LinkedIn is effectively extracting through the scan.

In the United Kingdom, Section 1 of the Computer Misuse Act 1990 criminalises unauthorised access to computer material, carrying up to two years imprisonment. The UK GDPR applies Article 9 with identical force, with a maximum fine of £17.5 million or 4% of global turnover. California's CCPA and CPRA require disclosure of personal information collection and provide consumers the right to know what data is held about them. The California Invasion of Privacy Act provides statutory damages of $5,000 per violation without requiring proof of actual harm - a figure that, applied to millions of California LinkedIn users, represents significant potential exposure.

The DMA compliance question

The growth rate of the extension scan list forms a central argument in the BrowserGate investigation's DMA analysis. According to Fairlinked, LinkedIn scanned for 38 extensions in 2017. By 2024 the number was approximately 461. By May 2025 it had reached around 1,000. By December 2025 it stood at 5,459. By February 2026 it had grown to 6,167. That is an addition of roughly 12 extensions per day in the final two-month period documented.

The European Commission designated Microsoft's LinkedIn as a gatekeeper under the Digital Markets Act in September 2023, requiring the platform to open access to third-party tools under Article 6(10). According to the Fairlinked investigation, LinkedIn's response to the EU was to publish two restricted APIs handling approximately 0.07 calls per second. Meanwhile, according to the investigation, LinkedIn operates an internal API called Voyager that powers all its web and mobile products at 163,000 calls per second. Microsoft's 249-page compliance report to the EU mentions the word "API" 533 times, according to the BrowserGate documents. The word "Voyager" appears zero times.

The acceleration of the extension scan list directly overlaps with the DMA compliance period. The regulation required LinkedIn to tolerate competing third-party tools. According to the investigation, LinkedIn built a surveillance system to identify every user of those tools. The EU's broader regulatory scrutiny of Microsoft expanded in November 2025 when the European Commission opened three market investigations into whether Microsoft Azure should be designated a gatekeeper under the DMA for cloud computing services.

The organisational and government intelligence dimension

The BrowserGate investigation's deepest concern is not the individual privacy violation. It is what the data enables at scale. Because every LinkedIn account is tied to a real name, employer, job title, and location, each extension scan result is attributed to a specific person at a specific organisation. Aggregating results across all employees of a company who use LinkedIn produces a profile of that company's technology stack - which CRM they use, which sales tools, which security products, which productivity software - assembled without the company's knowledge.

The investigation extends this logic to government. European defence ministries, intelligence agencies, law enforcement bodies, regulators, and elected officials all have LinkedIn profiles. According to the Fairlinked analysis, LinkedIn's scanning does not distinguish between a marketing manager at a startup and a cybersecurity analyst at a government ministry. Both are scanned. Both have their results transmitted to LinkedIn's servers in the United States. The very officials at the European Commission responsible for the DMA investigation of LinkedIn are, in all likelihood, on LinkedIn themselves.

This is also the context in which LinkedIn's recent data practices take on additional significance. In September 2025, LinkedIn announced it would begin using member data to train generative AI models starting November 3, 2025. The policy covers profile data, posts, articles, and job responses. It does not cover extension scan data or device fingerprints, because those practices are not disclosed at all. In March 2026, LinkedIn published an engineering blog post documenting how it has rebuilt its entire feed ranking system using large language models trained on member engagement data, running on 8 H100 GPUs with sub-50ms retrieval latency. The platform handling one of the largest covert browser scanning operations in documented history is simultaneously building some of the most sophisticated AI-driven content ranking infrastructure in the industry.

What this means for B2B marketers

For the marketing community, BrowserGate introduces a structural question that sits beneath all the legal and privacy analysis. LinkedIn is simultaneously the dominant platform for B2B advertising - achieving 121% ROAS in 2025 according to Dreamdata's March 2026 report, with a 41% share of B2B ad budgets - and the subject of an investigation alleging it is using browser-level intelligence to map the software environments of its own advertisers' organisations.

The competitive intelligence dimension is the most commercially acute. If LinkedIn can detect that employees at a company are running Apollo, Lusha, or ZoomInfo - tools that compete directly with its own Sales Navigator product - it has real-time visibility into which companies are evaluating alternatives. That information has direct value to LinkedIn's own sales and product teams. It also potentially informs how the platform responds to those companies as advertisers, though LinkedIn denies using the data for any such purpose.

The data enrichment trajectory compounds the concern. LinkedIn's Company Intelligence API, launched in September 2025, enables B2B marketers to track how entire organisations engage with the platform across paid and organic touchpoints. LinkedIn's Revenue Attribution Report was enhanced in July 2025 with company-level measurement tied to Salesforce CRM integration. Each of these capabilities builds a richer profile of each advertiser's organisation within LinkedIn's data infrastructure. The BrowserGate investigation suggests that, beneath those declared data flows, there is also an undisclosed layer of browser-level intelligence being collected and stored.

Fairlinked's legal proceedings against LinkedIn under the DMA have been filed, according to a notice published on the BrowserGate website. The evidence pack is available for download and cryptographically verifiable. Complaints can be filed with any EU member state data protection authority, with the Irish Data Protection Commission as LinkedIn's lead EU regulator. Class action registrations are open across multiple jurisdictions, according to the BrowserGate site.

Whether the gap between what LinkedIn collects and what it discloses can survive sustained regulatory attention in an environment where Austrian courts have found Google reCAPTCHA unlawful without consentGerman courts have found Google Tag Manager requires explicit consent, and the Irish DPC has already fined LinkedIn €310 million for advertising data practices, is the operative question. The code is verifiable. The affidavit is a public court filing. The legal analysis is grounded in statutes and case law. What comes next depends on regulators.

Timeline

  • 2017: LinkedIn begins scanning for 38 specific Chrome extensions as part of early extension detection.
  • September 2023: The European Commission designates Microsoft's LinkedIn as a DMA gatekeeper, requiring the platform to open third-party tool access under Article 6(10).
  • February 2024: Civil society groups file a complaint with the European Commission over LinkedIn's group-based ad targeting under the DSA. LinkedIn discontinues group-based ad targeting in Europe.
  • 2024: LinkedIn's extension scan list reaches approximately 461 entries.
  • May 2024: LinkedIn integrates HUMAN Security for invalid traffic detection. The same HUMAN Security iframe is documented in the BrowserGate investigation as running on every page load.
  • October 24, 2024: The Irish Data Protection Commission fines LinkedIn €310 million for processing personal data for targeted advertising without a valid legal basis under GDPR.
  • July 28, 2025: LinkedIn enhances its Revenue Attribution Report with company-level measurement tied to Salesforce CRM integration.
  • September 18, 2025: LinkedIn announces it will begin using member data to train generative AI models from November 3, 2025.
  • September 23, 2025: LinkedIn launches the Company Intelligence API for B2B attribution at organisation level.
  • October 8, 2025: LinkedIn restricts free competitor analytics to a single tracked account, requiring premium subscriptions for broader competitive monitoring.
  • November 3, 2025: LinkedIn begins using member profile data, posts, and articles for generative AI model training.
  • November 18, 2025: European Commission opens cloud gatekeeper probes for Amazon and Microsoft Azureunder the Digital Markets Act.
  • December 2025: LinkedIn's extension scan list reaches 5,459 entries.
  • February 6, 2026: LinkedIn Senior Engineering Manager Milinda Lakkam files a sworn affidavit in German court proceedings acknowledging LinkedIn "invested in extension detection mechanisms."
  • February 19, 2026: Fairlinked's evidence package - containing the JavaScript bundle, video demonstration, and RFC 3161 cryptographic timestamp - is hashed and timestamped by freetsa.org in Wurzburg, Germany, establishing the scan was active.
  • February 2026: LinkedIn's extension scan list reaches 6,167 entries. Growth rate: approximately 12 new extensions added per day.
  • January 2026: The Regional Court of Munich denies Teamfluence's preliminary injunction against LinkedIn, finding LinkedIn's actions did not constitute unlawful obstruction.
  • March 9, 2026: Fairlinked publishes the full BrowserGate website with technical documentation, legal analysis, evidence pack, and campaign materials.
  • Early April 2026: BleepingComputer independently confirms through testing that LinkedIn's extension scanning script is active and detecting 6,236 extensions.
  • April 5, 2026: Fairlinked publishes its investigation publicly. Legal proceedings against LinkedIn under the DMA are confirmed as filed.

Summary

Who: LinkedIn, a Microsoft subsidiary with over 1.2 billion registered members across 200 countries, is the subject of the BrowserGate investigation. The investigation was conducted by Fairlinked e.V., a European association of commercial LinkedIn users connected to Teamfluence Signal Systems OÜ, an Estonian company in an active legal dispute with LinkedIn. Technical findings were independently confirmed by BleepingComputer. The affidavit at the centre of the evidence pack was filed by Milinda Lakkam, LinkedIn's Senior Manager of Software Engineering and Machine Learning.

What: LinkedIn operates a hidden JavaScript system called APFC, also referred to as DNA, embedded in a 2.7-megabyte bundle delivered to every Chromium browser user who visits the site. The system scans for 6,222 specific Chrome extensions using a three-stage detection architecture - active fetch requests, resource probing, and full DOM tree scanning - collects 48 hardware and software device characteristics, encrypts all data using RSA public key encryption, and transmits it to LinkedIn's servers as well as to third-party services including HUMAN Security and Merchant Pool. The fingerprint is then injected as an HTTP header into every API request during the session. The system is not mentioned in LinkedIn's privacy policy. Extensions on the scan list include tools associated with religious practice, political opinion, neurodivergent conditions, job searching, and competitor sales products.

When: Extension scanning began in 2017 with 38 extensions. The list grew to 461 by 2024, reached 5,459 by December 2025, and stood at 6,167 by February 2026. The JavaScript bundle was cryptographically timestamped as active on February 19, 2026. The BrowserGate investigation was published publicly on April 5, 2026, the same day as confirmed active scanning by BleepingComputer.

Where: The scanning affects all users of LinkedIn in Chromium-based browsers globally - Chrome, Edge, Brave, Opera, Arc, and any other Chromium-derived browser. The encrypted data is transmitted to LinkedIn's servers in the United States. Legal exposure is sharpest in the European Union under GDPR and the ePrivacy Directive, in Germany under sections 202a, 202b, 202c, and 240 of the Strafgesetzbuch, in the UK under the Computer Misuse Act 1990 and UK GDPR, and in California under CCPA, CPRA, and CIPA. LinkedIn's EU lead supervisory authority is the Irish Data Protection Commission, which has already fined LinkedIn €310 million for separate data processing violations in October 2024.

Why: The investigation matters for the marketing and advertising community on several levels. LinkedIn holds a dominant and expanding position in B2B advertising, with 121% ROAS and 41% of B2B ad budgets according to Dreamdata's March 2026 report. The BrowserGate investigation alleges that the platform is simultaneously using browser-level intelligence to monitor its own advertisers' software environments - detecting which competing sales tools their employees use, which job-search extensions their staff run, and what the security posture of their organisations looks like. That information sits within LinkedIn's servers, attributed to identified professionals at identified companies, assembled without any disclosure and without any opt-out mechanism. Whether that constitutes a data protection violation, a criminal offence, a DMA compliance failure, or all three simultaneously is now a question for regulators and courts across multiple jurisdictions.

Share this article
The link has been copied!