Researchers have determined that Microsoft's LinkedIn is scanning browser plug-ins and other information without permission, building user profiles using data that the company did not get permission to take.
A European advocacy group claims LinkedIn is probing browser extensions through its website code. Fairlinked e.V. published its "BrowserGate" report alleging LinkedIn detects installed browser extensions by probing for known identifiers through JavaScript. The group says the technique reveals personally identifiable information.
Safari users are less likely to be affected by this specific mechanism, based on how extension detection typically works across browsers. Apple's browser model limits fingerprinting surfaces, which reduces how much information sites can infer from installed extensions.
Instead, the reported method relies on Chromium-based browser behavior where extensions expose identifiable resources that websites can probe. Chrome and Edge fit this model, while Safari has a more restricted extension system that doesn't expose the same identifiers.
The BrowserGate report points to a JavaScript bundle that allegedly includes identifiers for more than 6,000 browser extensions. Each identifier is mapped for detection during page loads.
Fairlinked says LinkedIn checks for those extensions and sends the results back to its servers. The group further argues the data could be used to infer sensitive signals about users or companies.
The claim, if completely accurate, clearly violates European privacy law if the behavior occurs at scale and without disclosure. Neither LinkedIn nor Microsoft has publicly responded as of April 3 and no regulatory findings have been issued.
Browser extension detection sits at the center of the claims
Browser-level extension detection is technically possible under certain conditions. Websites typically check for known file paths or behaviors exposed by extensions.
The method doesn't access a user's system directly. Additionally, no evidence shows whether the information is tied directly to user identities in practice.
LinkedIn's investment in client-side fingerprinting and detection systems to identify automation tools and scraping activity naturally includes extension detection. However, the same techniques can blur into user tracking depending on data usage.
Different types of extensions can signal how a user behaves online. Job search and automation tools can indicate how someone interacts with platforms, including whether they are actively applying for roles or extracting data at scale.
Sales and prospecting extensions can reflect which tools or datasets a company relies on, effectively mapping parts of a business's software stack. Security and privacy extensions can also reveal how a user approaches tracking, filtering, or data protection.
Browser extensions expose installed tools and usage patterns that can be combined to profile or uniquely identify users. When tied to a logged-in account, they provide a more detailed picture of activity and preferences based on data usage.
Key details remain unverified as scrutiny builds
LinkedIn's published disclosures acknowledge extensive use of cookies and third-party tracking tools for analytics and advertising. Disclosures don't mention scanning for installed browser extensions.
A gap between documented practices and alleged behavior is driving much of the current scrutiny. Regulators are focusing more closely on how large platforms collect and use behavioral data.
LinkedIn is designated a gatekeeper under the European Union's Digital Markets Act. The designation places the company under ongoing oversight around data use and platform fairness.
Any undisclosed method of collecting competitive or behavioral data would likely draw regulatory attention if substantiated. Risk increases if the method intersects with third-party tools or business activity.
Modern browsers expose small pieces of information, and signals can be combined and tied to identity to build detailed user profiles. The report highlights how that process can scale, but it does not and can not prove what happens after detection.
