> Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions. The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them to LinkedIn’s servers.
This does seem invasive. It also seems like what I’d expect to find in modern browser fingerprinting code. I’m not deeply familiar with what APIs are available for detecting extensions, but the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”).
I’m certainly not endorsing it, do think it’s pretty problematic, and I’m glad it’s getting some visibility. But I do take some issue with the alarmist framing of what’s going on.
I’ve come to mostly expect this behavior from most websites that run advertising code and this is why I run ad blockers.
Calling the title misleading because they didn't breach the browser sandbox is wrong when this is clearly a scenario most people didn't think was possible. Chrome added extensionId randomization with the change to V3, so it's clearly not an intended scenario.
> vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”)
They chose to put that particular extension in their target list, how is it not sinister? If the list had only extensions to affect LinkedIn page directly (a good chunk seem to be LinkedIn productivity tools) they would have some plausible deniability, but that's not the case. You're just "nothing ever happens"ing this.
I think most people would interpret “scanning your computer” as breaking out of the confines the browser and gathering information from the computer itself. If this was happening, the magnitude of the scandal would be hard to overstate.
But this is not happening. What actually is happening is still a problem. But the hyperbole undermines what they’re trying to communicate and this is why I objected to the title.
> They chose to put that particular extension in their target list, how is it not sinister?
Alongside thousands of other extensions. If they were scanning for a dozen things and this was one of them, I’d tend to agree with you. But this sounds more like they enumerated known extension IDs for a large number of extensions because getting all installed extensions isn’t possible.
If we step back for a moment and ask the question: “I’ve been tasked with building a unique fingerprint capability to combat (bots/scrapers/known bad actors, etc), how would I leverage installed extensions as part of that fingerprint?”
What the article describes sounds like what many devs would land on given the browser APIs available.
To reiterate, at no point am I saying this is good or acceptable. I think there’s a massive privacy problem in the tech industry that needs to be addressed.
But the authors have chosen to frame this in language that is hyperbolic and alarmist, and in doing so I thing they’re making people focus on the wrong things and actually obscuring the severity of the problem, which is certainly not limited to LinkedIn.
By this logic we could also say that LinkedIn scans your home network.
>Every time any of LinkedIn’s one billion users visits linkedin.com, hidden code searches their computer for installed software, collects the results, and transmits them to LinkedIn’s servers and to third-party companies including an American-Israeli cybersecurity firm.
When I read that, I think they have escaped the browser and checking which applications I have installed on my computer. Not which plugins the browser has in it. Just my 2cents.
The same way taking a photo of a house from the street is not the same as investigating the contents of your pantry.
While "scanning your browser" would be more accurate and would exclude the interpretation that it scans your files.
The reason the latter is not used is that, even though more precise and more communicative, it would get less clicks.
Your browser is a subset of your computer and lives inside a sandbox. Breaching that sandbox is certainly a much more interesting topic than breaking GDPR by browser fingerprinting.
Expecting and accepting this kind of thing is why everyone feels the need to run an ad-blocker.
An ad-blocker also isn’t full protection. It’s a cat and mouse game. Novel ideas on how to extract information about you, and influence behavior, will never be handled by ad-blockers until it becomes known. And even then, it’s a question of if it’s worth the dev time for the maker of the ad-blocker you happen to be using and if that filter list gets enabled… and how much of the web enabling it breaks.
The point was more that the headline frames this as some major revelation about LinkedIn, while the reality is that we’re getting probed and profiled by far more sites than most people realize.
They're scanning your extensions to make sure you aren't using third party tools to scrape LinkedIn.
It's stupid, but they're trying to stop people from making money on LinkedIn when they feel like they're the only ones that should be able to do that.
I don't: never have and never will. I don't notice the ads, they don't bother or distract me: I'm online 4-8 hours/day.
diaphimisticophobia: fear of advertisements or commercials
I would bet HN has the highest proportion of people with diaphimisticophobia of any group on the planet.
It's pretty wild that we live in a world where the actual FBI has recommended we use ad blockers to protect ourselves, and if everyone actually listened, much of the Internet (and economy) as we know it would disappear. The FBI is like "you should protect yourself from the way that the third largest company in the world does business", and the average person's response is "nah, that would take at least a couple of minutes of my time, I'll just go ahead and continue to suffer with invasive ads and make sure $GOOG keeps going up".
As a data point I, a technical person who tweaks his computer a lot, was against adblocking for moral reasons (as a part of perceived social contract, where internet is free because of ads). Only later I changed mi mind on this because I became more privacy aware.
I get why Chrome doesn't, and that's why you should not use it. But Netscape? Edge? What is stopping them?
Browsing the web without an ad blocker is a miserable experience. Users who have never tried or don't know how to set one up would be delighted.
Would it really? It seems to me that most normal users spend most of their time and attention on apps, not in browsers.
The real reason is that the average person neither suffers with ads nor finds ads invasive, despite what a vocal online minority would have you believe. We just ignore them and get on with life. ::shrug::
My point isn’t that this is acceptable or that we shouldn’t push back against it. We should.
My point is that this doesn’t sound particularly surprising or unique to LinkedIn, and that the framing of the article seems a bit misleading as a result.
The list of extensions they scan for has been extracted from the code. It was all extensions related to spamming and scraping LinkedIn last time this was posted: Extensions to scrape your LinkedIn session and extract contact info for lead lists, extensions to generate AI message spam.
That seems like fair game for their business.
Indeed, so I gather all of you have canceled your LI account over this?
I never made one in the first place because it was pretty clear to me that this company - even before the acquisition - had nothing good in mind.
They also logically don’t need to fingerprint these users because those people are literally logging in to an account with their credentials.
By all appearances they’re just trying to detect people who are using spam automation and scraping extensions, which honestly I’m not too upset about.
If you never install a LinkedIn scraper or post generator extension you wouldn’t hit any of the extensions in the list they check for, last time I looked.
I run a site which attracts a lot of unsavoury people who need to be banned from our services, and tracking them to reban them when they come back is a big part of what makes our product better than others in the industry. I do not care at all about actually tracking good users, and I am not reselling this data, or anything malicious, it's entire purpose is literally to make the website more enjoyable for the good users.
It's also heavily scraped by businesses for lead generation for sales and recruiting. Either before their API became available or to not pay them or to get around the restrictions of their API.
There are people who actually enjoy using LinkedIn?
No. Don't need extensions for that. See how Cloudflare Turnstile does it, recently popped up at https://news.ycombinator.com/item?id=47566865 cause ChatGPT uses it now:
Layer 1: Browser Fingerprint WebGL (8 properties): UNMASKED_VENDOR_WEBGL, UNMASKED_RENDERER_WEBGL, WEBGL_debug_renderer_info, getExtension, getParameter, getContext, canvas, webgl
Screen (8): colorDepth, pixelDepth, width, height, availWidth, availHeight, availLeft, availTop
Hardware (5): hardwareConcurrency, deviceMemory, maxTouchPoints, platform, vendor
Font measurement (4): fontFamily, fontSize, getBoundingClientRect, innerText. Creates a hidden div, sets a font, measures rendered text dimensions, removes the element.
DOM probing (8): createElement, appendChild, removeChild, div, style, position, visibility, ariaHidden
Storage (5): storage, quota, estimate, setItem, usage. Also writes the fingerprint to localStorage under key 6f376b6560133c2c for persistence across page loads.
Scanning for 6000 extensions is anti-competitive, surveillant and immoral.
This seems like a really weird argument to make. The fact that the platform doesn't provide a privacy-violating API is not an extenuating circumstance. LinkedIn needed to work around this limitation, so they knew they're doing something sketchy.
For the record, I don't think they're being evil here, but the explanation is different: they're don't seem to be trying to fingerprint users as much as they're trying to detect specific "evil" extensions that do things LinkedIn doesn't want them to do on linkedin.com. I guess that's their prerogative (and it's the prerogative of browsers to take that away).
Those profiling tools don't really care which features are going to be used for predictions. It's just machine learning, and it's indiscriminate. So if you have an extension that correlates with you being Muslim, it will be used for whatever ML predictions they give to other companies, and the worst case will be another "oh we didn't do this intentionally".
Of course, that's not the first time this ever happened in human history, so even if it's not "something inherently sinister", it's just "criminal negligence".
Just run everything in a safe environment that it can't look out of.
Since the extensions are running on the same page as LinkedIn (some of them are explicitly modifying the LinkedIn the website) it's impossible to sandbox them so that linked in can't see evidence of them. And yes this is how a site knows you have an ad blocker is installed.
Here is what the article says:
Method 1
async function c() {
const e = [],
t = r.map(({id: t, file: n}) => {
return fetch(`chrome-extension://${t}/${n}`)
});
(await Promise.allSettled(t)).forEach((t, n) => {
if ("fulfilled" === t.status && void 0 !== t.value) {
const t = r[n];
t && e.push(t.id);
}
});
return e;
}
async function(e) {
const t = [];
for (const {id: n, file: i} of r) {
try {
await fetch(`chrome-extension://${n}/${i}`) && t.push(n);
} catch(e) {}
e > 0 && await new Promise(t => setTimeout(t, e));
}
return t;
}
chrome-extension://${store_id}/${file_name}
It looks like the user has the freedom to manage this by launching chrome with this flag: --disable-extensions
It also seems there is an extension for extension management to deny extension availability by web site: https://superuser.com/questions/1546186/enable-disable-chrom...
Why exactly does Chrome even allow this in the first place!? This is the most surprising takeaway for me here, given browser vendors' focus on hardening against fingerprinting.
When you're literally the company that invented Kafka for your clickstreams, "everything looks like a nail."
(More likely, though, this is an anti-scraping initiative, since headless browsers are unlikely to randomize their use of extensions, and they can use this to identify potential scrapers.)
Your computer is your private domain. Your house is your private domain. You don't make a "getAllKeysOnPorch()" API, and certainly don't make "getAllBankAccounts()" API. And if you do, you certainly don't make it available to anyone who asks.
It absolutely is sinister.
Working around deliberate API designs that are designed to make it harder to get a list of all installed extensions is inherently sinister. It's very clearly malicious. We absolutely should not accept that kind of behavior from anyone and definitely not from the corporations large enough that we can't realistically avoid depending upon them.
Speaking has someone who shares the same lack of surprise, perhaps some alarm is warranted. Just because it’s ubiquitous doesn’t mean it’s ok. This feels very much frog in boiling water for me.
Why do you think the alarmist framing is unwarranted?
But it’s critical to sound the correct alarm.
To me, it seems like the authors pulled the fire alarm for a single building when in reality there’s a tornado bearing down.
And by doing so, everyone is scrambling about a fire instead of the response a tornado siren would cause.
They’re both dangerous and worthy of an immediate reaction, but the confusion and misdirection this causes seems deeply problematic.
When people realize the fire wasn’t real, they start to question the validity of the alarm. The tornado is still out there.
I realize this analogy is a bit stretched.
As someone who has spent quite a lot of time steeped in security/privacy research, the stuff described in the article has been happening pervasively across the industry.
People absolutely should be alarmed. Many of us have been alarmed for quite some time. Raising the alarm by saying “LinkedIn is searching your computer” isn’t it.
The browser security model right now is more like those completely ineffective "gun free zone" signs cities tack up in public parks.
I would put it more like: it sounds bad, and it's no different from what others do, so they're all that bad.
The fact that they're working around an API limitation doesn't make this better, it just proves that they're up to no good. The whole reason there isn't an API for this is to prevent exactly this sort of enumeration.
It's clear that companies will do as much bad stuff as they can to make money. The fact that you can do this to work around extension enumeration limits should be treated as a security bug in Chrome, and fixed. And, while it doesn't really make a difference, LinkedIn should be considered to be exploiting a security vulnerability with this code.
Time to figure out if I can make FireFox pretend to be Chrome, and return random browser extensions every time I visit any website to screw up browser fingerprinting...
The people behind this URL are trying to hold Microsoft accountable. The power to them.
We should not normalise nor accept this behaviour in the first place.
So what is it? Misleading, or exactly what you expected to find? It cannot be both.
It sounds more like you object to the negative framing of Microsoft hoovering up as much data as possible for profit, even though this is objectively a crime in the jurisdictions they are being sued in.
Well great there is no avalable 'getAllFiles()' or such either because they'd be scanning your files for "fingerprinting" as well.
> alarmist framing
Well they literally searching your computer for applications/extensions that you have installed? (and to an extent you can infer what are some of the desktop applications you have based on that too)
Then why search for PordaAI or Deen Shield? Or more specifically, since getAllExtensions() would return them, why would they be on the "scan list", instead of just ignored?
My understanding is the rules and laws are to prevent the outcome, by any means, if it's happening.
I’ve come to mostly expect this behavior from most websites that run advertising code
We should be alarmed that websites we go to are fingerprinting us and tracking our behavior. This is problematic, full stop. The fact that most websites are doing this doesn't change that.
Exactly what I think it is. It's all for tracking and ultimately for advertisement. Linkedin can get exactly who you are and then they share that data with ad companies to better target you.
Really gross behavior.
Yes. I was expecting LinkedIn was connecting to extensions that are using their exhanced privileges to scan your computer, per the "LinkedIn Is Illegally Searching Your Computer" headline.
Instead, LinkedIn is scanning for extensions.
But I bet they could reliably guess your religious affiliation based on the presence of some specific browser extensions.
God forbid they make an educated guess based on your actual LinkedIn connections, name, interests, etc.
On the contrary, your framing is quite defeatist IMO. The fact that stores get robbed frequently does not mean we should just normalize that and accept it as a fact of life.
It's important to note that this isn't fixed by ad blockers. To avoid this kind of fingerprinting, you need to disable JavaScript or use a browser like Firefox which randomizes extension UUIDs.
What's been really obnoxious lately is the number of sites I try to do things on that are straight up broken without turning off my ad-blocker.
Why is this even possible in the first place? It's nobodies business what extensions I have installed.
How? What exactly would a reader be "mislead" to believe
The part about "inherently sinister" seems to be a thought from the mind of an HN commenter not the authors of the submitted web page. The later only describe LinkedIn's actions as illegal, not "sinister". The laws cited by the authors do not appear to consider any "state of mind", e.g., "sinister", or intent as relevant
"But I do take some issue with the alarmist framing of what's going on."
AFAICT, the submitted web page does not suggest that anything LinkedIn does is "dangerous", i.e., cause for "alarm". What it suggests is that LinkedIn's actions _violate European privacy laws_. The authors claim LinkedIn's actions present an opportunity to enforce these laws, i.e., "take action"
This could be easily inferred from the depth, breadth, and interconnectedness of data in the website.
By downplaying it, it's allowing it to exist and do the very thing.
The issue here is this stuff is working likely despite ad blockers.
Fingerprinting technology can do a lot more than just what can be learned from ads.
From the site:
"The scan doesn’t just look for LinkedIn-related tools. It identifies whether you use an Islamic content filter (PordaAI — “Blur Haram objects, real-time AI for Islamic values”), whether you’ve installed an anti-Zionist political tagger (Anti-Zionist Tag), or a tool designed for neurodivergent users (simplify). Under GDPR Article 9, processing data that reveals religious beliefs, political opinions, or health conditions requires explicit consent. LinkedIn obtains none." https://browsergate.eu/extensions/
This is inherently sinister.
And probably also vibe-coded therefore 2 tabs of LinkedIn take up 1GB of RAM (was on the front page a few days back).
So this is just a heads up that even if you don't have a linkedin account, they will create one on your behalf so might better check (assuming you neither have nor want one).
Are companies now commonly uploading lists of employees to LinkedIn? Is this happening automatically because you got an e-mail account from the company and the company runs on MS Office and you're identified as am employee within it? What triggered it?
This seems like somewhat of a scandal that deserves its own post, but it also needs a lot more details to be trustworthy and for people to understand what exactly is happening.
Also, was there some way for you to take ownership of the profile? Did it depend on verifying a certain e-mail address? Does it require you to get the company to remove it, or could you take ownership and then delete the LinkedIn account/profile yourself?
Other times they would just link to real LinkedIn profiles, but the LinkedIn profile will say that they’re not actively looking and are a victim of id fraud basically.
It’s been a huge issue spotting candidates falsifying information since remote work took off unfortunately. They payout is if they can get at least 1 or 2 paychecks before being found out, they’ve made a good profit.
If anyone else as any more info on the why, please share.
Anyway, what they're calling "spectroscopy", is a combination of extension probing and doing residue detection (looking for what extensions might leave behind in the DOM).
An ad blocker is not necessarily equipped to help since the script is embedded with the application code. Since they're targetting Chrome, switching browsers will help with the probing but not the detection part and you'll still be fingerprinted.
The only way forward is for browser vendors to offer a real privacy or incognito mode where sites are sandboxed by default. When the default profile is identical across millions of users there won't be anything unique to fingerprint.
They've run this experiment before; Windows is terrible and has been for a very long time, Microsoft Office is terrible and has been for a very long time, Sharepoint is terrible and has been for a very long time, LinkedIn is terrible and has been for a very long time, etc.
It's what they do, there is not a single thing that Microsoft does not half-ass, because all they focus on is getting embedded into places, and that does not require that any of their products be good.
For over 15 years reCAPTCHA has relied on browser fingerprinting to help distinguish humans from bots. And fingerprintjs.com has been around for well more than a couple years.
That said, sniffing the browser extensions someone is using is NOT a common fingerprinting method used by my examples, but just saying fingerprinting itself without explicit disclosure has been around for quite a long time. It happens on literally every CAPTCHA service. I hate it of course, but the ship sailed a long time ago.
--
I like this demo for testing my browser's resilence against fingerprinting: https://fingerprint.com/demo/
> The scan doesn’t just look for LinkedIn-related tools. It identifies whether you use an Islamic content filter (PordaAI — “Blur Haram objects, real-time AI for Islamic values”), whether you’ve installed an anti-Zionist political tagger (Anti-Zionist Tag), or a tool designed for neurodivergent users (simplify).
If I had to guess: I sought that automatic content blurrer, neurodivergent website simplifier, or anti-Zionist tagger actually work. They’re all just piggybacking on trending topics to get users to install them and then forget about them, then they exfiltrate the data when you visit LinkedIn.
If you mean the _browser_, then I agree in principle, but - it is a browser offered to you by Alphabet. And they are known to mass surveillance and use of personal information for all sorts of purposes, including passing copies to the US intelligence agencies.
But of course, this is what's promoted and suggested to people and installed by default on their phones, so even if it's Google/Alphabet, they should be pressured/coerced into respecting your privacy.
This is not. To violate trust, there should have been some.
LinkedIn scans for Anti-woke (“The anti-wokeness extension. Shows warnings about woke companies”), Anti-Zionist Tag (“Adds a tag to the LinkedIn profiles of Anti-Zionists”), Vote With Your Money (“showing political contributions from executives and employees”), No more Musk (“Hides digital noise related to Elon Musk,” 19 users), Political Circus (“Politician to Clown AI Filter,” 7 users), LinkedIn Political Content Blocker, and NoPolitiLinked.It's no different from when you visit an Islamist or anti-Zionist website that has analytics/trackers/ads on it.
It's bad, but this "massive violation of trust" is happening everywhere and has been for decades. There's nothing that's unique to Microsoft here.
To protect the privacy of our members, their data, and to ensure site stability, we do look for extensions that scrape data without members’ consent or otherwise violate LinkedIn’s Terms of Service.
Here’s why: some extensions have static resources (images, javascript) available to inject into our webpages. We can detect the presence of these extensions by checking if that static resource URL exists. This detection is visible inside the Chrome developer console. We use this data to determine which extensions violate our terms, to inform and improve our technical defenses, and to understand why a member account might be fetching an inordinate amount of other members' data, which at scale, impacts site stability. We do not use this data to infer sensitive information about members.
For additional context, in retaliation for this website owner’s account restriction, they attempted to obtain an injunction in Germany, alleging LinkedIn had violated various laws. The court ruled against them and found their claims against LinkedIn had no merit, and in fact, this individual’s own data practices ran afoul of the law.
Unfortunately, this is a case of an individual who lost in the court of law, but is seeking to re-litigate in the court of public opinion without regard for accuracy.
I'm quite sure having unfettered insight into the browser environments of your users makes enforcing your Terms of Service much easier, but held against the (even minute) risk of exposing one of users' political, religious or sexual preferences, any of which might carry with it massive risk of bodily injury or death in many parts of the globe? I'm sorry but ToS enforcement does not even begin to clear that bar.
If you don't want your users to scrape large parts your website, have you considered just blocking users with outsized traffic usage and not violating their privacy in the process?
Justifying this invasion of privacy as a means of defending LinkedIn against the apparently existential threat posed by something as pedestrian as scraping is especially ridiculous when considering how LinkedIn managed to even get off the ground in the first place: By invading the privacy of its unwitting users by scraping their contacts and impersonating them via email[1].
[1] https://en.wikipedia.org/wiki/LinkedIn#Use_of_e-mail_account...
What a nightmare! Are your findings and this list of malicious extensions published somewhere?
You state a lot, but not once you give even the slightest proof to your claims.
Call me doubtful at best.
Not clear why it needs to scan for Amazon image downloaders, Rufus conversation extracters, Amazon delivery scheduler, Product Scanner, or pharmacy operations.
That was a two minute search here:
Microsoft has lied in the past about what information that they do and don't store, why should we believe you now?
Your comment is disingenuous, insulting and has only served to make me check more extensions and only browse LinkedIn in a secure, private window.
The Bavarian Central Cybercrime Prosecution Office in Bamberg has opened a investigation into this matter (Case File No 650 UJs 2809/26) and I am sure they are interested in talking to you.
They would love to hear how this is all plain wrong.
Sure, this can be solved at the legal layer, but in this case, there seems to be a much simpler and more effective technical solution, so why not pursue that instead?
I agree on the practical aspect though.
Chrome extensions can expose internal files to web pages through the web_accessible_resources field in their manifest.json. When an extension is installed and has exposed a resource, a fetch() request to chrome-extension://{id}/{file} will succeed. When the extension is not installed, Chrome blocks the request and the promise rejects.
Why should a website be able to scan for extensions at all?
Or if there's a legitimate need (like linkedin.com wants to see if you installed the linkedin extension), leave it up to the extension to decide if it wants to reveal itself. The extension can register a list of URL patterns it will reveal itself to. So the linkedin extension might reveal itself only to *.linkedin.com, a language translation extension might reveal itself to everyone, and an adblocker extension might not choose to reveal itself to anyone.
extensions choose on which site they're active and if they provide any available assets (e.g. some extensions modify CSS of the website by injecting their CSS, so that asset is public and then any website where the extension is active can call fetch("chrome-extension://<extension_id>/whatever/file/needed.css" if it knows the extension ID (fixed for each extension) and the file path to such asset... if the fetch result is 404, it can assume the extension is not installed, if the result is 200 it can assume the extension is installed.
This is what LinkedIn is doing... they have their own database of extension IDs and a known working file path, and they are just calling these fetches... they have been doing it for years, I've noticed it a few years back when I was developing a chrome extension which also worked with LinkedIn, but back then it was less than 100 extensions scanned, so I just assumed they want to detect specific extensions which break their site or their terms of use... now it's apparently 6000+ extensions...
I set up the cgroups hack so I could route traffic from a dev profile into a VPS vpn, and may not be that useful for everyone.
But I think this is a reminder that you may want to have at least two profiles: one public and the other private. Do you really want Microsoft to know you installed the "Otaku Neko StarBlazers Tru-Fen Extendomatic" package to change every picture of a current political figure to an image from the cast of Space Battleship Yamato?
You may be interested in Qubes OS. My daily driver. Can't recommend it enough.
I will work on an improvement to that extension so that it can block these scans if they attempt them in firefox.
I am a little surprised something like CORS doesn't apply to it, though.
This is fair from Linkedin IMO as I've seen loads of different extensions actually scraping the linkedin session tokens or content on linkedin.
It's not clear though, either they only tested against chrome-based browsers or Firefox isn't enabling them to do so.
edit: I answered before I go fully through the article but it does say it's only Chrome based.
> The extension scan runs only in Chrome-based browsers. The isUserAgentChrome() function checks for “Chrome” in the user agent string. The isBrowser() function excludes server-side rendering environments. If either check fails, the scan does not execute.
> This means every user visiting LinkedIn with Chrome, Edge, Brave, Opera, Arc, or any other Chromium-based browser is subject to the scan.
I'm happy to see that this doesn't hit firefox. I wonder if safari is impacted.
Also the site doesn't even work well and is one of the main examples of "dark patterns" on the web [1].
Literally one of the worst companies and websites out there. Stallman has a summary of the additional reasons [2].
[0] https://www.eff.org/deeplinks/2017/12/eff-court-accessing-pu...
[1] https://medium.com/@danrschlosser/linkedin-dark-patterns-3ae...
It seems to not scan for Privacy Badger and uBlock Origin, two extensions I rely on. That's...surprising.
Is that enough blocking, I wonder?
The code filters out non-chrome browsers: >The extension scan runs only in Chrome-based browsers. The isUserAgentChrome() function checks for “Chrome” in the user agent string. The isBrowser() function excludes server-side rendering environments. If either check fails, the scan does not execute.
> Microsoft has 33,000 employees and a $15 billion legal budget
Microsoft has more than 220k employees (it's hard to follow with all the layoffs), and the G&A in which bankrolls legal expenses (but not only - it also contains basically every employee who's not engineering or sales) was only 7B in 2025 - so legal budget is much lower than that.
> Every time any of LinkedIn’s one billion users visits linkedin.com, hidden code searches their computer for installed software, collects the results, and transmits them to LinkedIn’s servers
And thought, "no way in hell this gets by Safari."
And then, under "The Attack: How it Works":
> Every time you open LinkedIn in a Chrome-based browser
Shocker. If you use a Chromium-based browser, you should expect to be trading away your privacy, IME.
If you think about, to protect yourself: The EFF privacy badger browser add-on [1] try to block fingerprinting.
Also, browser fingerprints are a common tracking pattern nowadays. You can test [2] your browser and please start protect your self: E.g. use add-ons like U-Block and Privacy Badger to block tracking and/or use different browser and devices for different use cases. DNS-blocking with block-list like hegazi [3] is IMO the best option, but also a bit more involved, when you host you own DNS forwarder(s). For example AdGuard Home [4] helps you with hosting your own DNS infrastructure. It's also possible to add block-lists to dnsmasq or unbound and run them on you notebook as forwarders.
[1] https://privacybadger.org/
[2] https://coveryourtracks.eff.org/
> 'the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter;'
The problem, of course, is that by clicking on a LinkedIn link, you agree to a non-negotiated contract that can change at any time, and that you have never seen. If that weren't allowed, then this sort of crap would correctly be considered "unauthorized access":
Considering the goal is to identify people, this is undeniably PII. As the article demonstrates, it also pertains sensitive information.
⇒ which Chrome allows sites to do.
Not sure if this counts but my post was actually sandwiched between two large Linkedin posts (the 2 tabs = 8 gb and now this) within the timing [0]
I always write things myself, even if they might take hours.
But I also believe that my post had overlapped with larger things of AI (OpenAI getting funded, Claude being leaked), I have seen some cool projects lately on Hackernews which aren't getting attention as all of that attention gets redirected to AI related news.
[0]: to be honest, I write things for myself firstly and I just upload them here for discussion related purposes, I am perfectly fine with my posts not reaching traction, because, I try to/wish to write for myself first and foremost :), Also within that Linkedin incident, In that case I just wrote things to get it off my chest really.
Essentially, they are labelling you, like most do, but against some interesting profiles given the kinds of extensions they are scanning for
My guess, Linkedin is used for years as source of valuable information for phishing/spear-phishing.
Maybe their motive is really spying. But more important for them is to fight against people botting Linkedin.
Imho, browser fingerprinting should be banned and EU should require browser companies to actively fight against it, not to help them (Fu Google)
There's a reason I continue to use Firefox (with uBlock Origin) and will never switch.
Also, when I got laid off from a previous job, I made a LinkedIn profile to help find a new job. Once I found a new job, I haven't logged into LinkedIn since - that was almost 2 years ago.
https://www.linkedin.com/pulse/how-linkedin-knows-which-chro...
It's either the extension's choice to become detectable ("externally_connectable" is off by default) or it makes unique changes to websites that allow for its detection.
The hard part is that some APIs return items in a different order or with different indentation so my engine normalizes all the variants into consistent objects.
It's quite impressive that LI works at all given the complexity.
I ask because it seems like every job I apply to asks for a linkedin profile, and I've heard floating around that if it's not filled in enough most employers assume you're a bot. Heck, one of the forms from the "who's hiring" thread yesterday straight up said if you have < 100 connections they'd throw out your application. So, in order to get my foot in the door, I need to hand over vast and intricate data about my personal life to a third party?
For the broader issue of not wanting to give even the information you'd need to choose to share to LinkedIn? Network the good ol' fashioned way: talking to random strangers in San Francisco bars.
Uh what.
Second not having a ton of extensions. Extensions can do fishy things.
This is Chrome’s broken model. Before installing an extension, one should be able to see all the domains an extension talks to.
The domains should be listed in manifest. But that’s not how it works.
In Android, every app you open needs a gazillion default permissions.
The moment in history where we all pretend that Israel is a normal country has been and gone.
I'm not convinced by their page explaining "Why it's illegal and potentially criminal" [0]. It's written by security researchers and non-attorneys.
For example, this characterization seems overly broad:
> The Court of Justice of the European Union has ruled, in three separate cases, that data which allows someone to infer or deduce protected characteristics is covered by this prohibition, regardless of whether the company intended to collect sensitive data.
I'm not seeing my spicy extensions (e.g. BPC), or the ones I use to block content on LinkedIn (ViolentMonkey, Ublock). So this isn't about detecting what they might deem as bad behaviour.
Nor could it be a fingerprinting thing, right? You'd want a full list for a full ID.
But they are checking out your religion. Deeply creepy.
* Anti-Zionist Tag (directly inferring political opinion)
* PordaAI (Islamic content filter)
* simplify (browsergate.eu specifically called out as a neurodivergent accessibility tool. Job search autofill that markets itself as particularly useful for people who struggle with forms)
* No more Musk ("Hides digital noise related to Elon Musk")
* Political Circus ("Politician -> Clown AI Filter")
* Job application trackers and utils ("Job Follow-Up Tracker" etc)
* Various "Distraction Blocker" type addons
LinkedIn scanning for tools that scrape LinkedIn:
* LinkedIn Cookie Sync for Headhunting Agent
* LinkedIn Cookie importer for Derrick (lol "for Derrick")
* MailMatics Cookie Grabber
* LinkedIn Fake Job Post Detector. Yes, they're detecting an addon that exposes fake job postings on their own platform.
*NOT* in the list, if you were wondering:
* Shinigami Eyes
* Dark Reader
* Adblockers
* Password managers
* FoxyProxy
* User-Agent spoofers, request modification tools, etc
* Most privacy/security tools (no uBO, no Privacy Badger, no FoxyProxy, no NoScript, etc.
For the latter category, the most interesting things there we found *were* searched-for are BuiltWith Technology Profiler, and some browser addons bundled from scanners (e.g. "Malwarebytes Browser Guard Beta").
I hope browsers in the future will need to ask for permission before doing any of that.
Here's a quick look at only the static things a website can fingerprint https://www.browserscan.net/.
one of the culprits is https://li.protechts.net taking 2GB ram and 8% cpu.
DDG searches say this is something for linkedin. - I had two tabs for linkedin open but left behind as I opened other tabs to research.
So I had not reopened these tabs in over 9 hours and they are still just humming along sucking down almost 10% of cpu and a couple gigs of ram for what?
This is firefox with ublock origin - quick searches saw malwarebytes browser guard considered it (protechts.net) malware for a bit and then took it off the list of things it blocked / warned about.
Not sure this is related to the scan mentioned, but it may be related to the overall concerns about data and unknown usage of resources.
I'm considering blocking this at the dns hosts level at this point.
Different browsers have various settings available, but do we have a little snitch for a web browser?
Firefox with a non-default profile can be created like that:
./firefox -CreateProfile "profile-name /home/user/.mozilla/firefox/profile-dir/"
# For linkedin that would be:
./firefox -CreateProfile "linkedin /home/user/.mozilla/firefox/linkedin/"
./firefox -profile "/home/user/.mozilla/firefox/profile-dir/"
# For linkedin that would be:
./firefox -profile "/home/user/.mozilla/firefox/linkedin/"
- create a copy of it, say, /usr/bin/firefox-linkedin
- adjust the relevant line, adding the -profile argument
Of course, "./firefox" from examples above should be replaced with the actual path to executable. For default installation of Firefox the path would be in /usr/bin/firefox script.
So, you can have a separate profiles for something sensitive/invasive (linkedin, shops, etc.) and then you can have a separate profile for everything else.
And each profile can have its own set of extensions.
No it isn't. Performing fingerprinting on user's devices, to ultimately profit of financially or worse is misleading. Especially doing this while knowing the user isn't aware what this really means and just deciding it for them.
The headline is just an exaggerated way of saying what is really happening.
LinkedIn is getting nothing.
I really don't think they're "illegally" searching your computer, they're checking for sloppy extensions that let linkedin know they're there because of bad design.
> Microsoft has 33,000 employees
this should probably be LinkedIn, not Microsoft.
How much is that currently? $600M?
And not letting you read your messages when on your mobile phone unless you use their app is particularly mean. Considering again where they are sending all the information they scrape.
This feels very similar, except now it's taking a swing at Microsoft. It's apparently paid for by some mysterious "trade association and advocacy group for commercial LinkedIn users" that runs out of a private PO box in a small German town - uh huh. I'm not going to feel bad for Microsoft, but I would love to read some investigative reporting down the line.
2020 - LinkedIn Sued For Spying on Clipboard Data After iOS 14 Exposes Its App:
https://wccftech.com/linkedin-sued-for-spying-on-clipboard-d...
2013 - LinkedIn MITM attacks your iPhone to read your mail:
https://www.troyhunt.com/disassembling-privacy-implications-...
2012/2016 - Data breach of 164.6 million accounts:
https://haveibeenpwned.com/breach/LinkedIn
According to haveibeenpwned.com, my email & password were leaked in both the 'May 2012' and 'April 2021' LinkedIn incidents.
This is not about sandboxed or not. That's not the point.
The point is this is being done on a platform with 1 billion users with REAL NAMES, with REAL JOBS, working for REAL EMPLOYERS.
This is a privacy violation by every meaning of the term. But it is a lot more: It is the largest INDUSTRIAL ESPIONAGE operation I have ever heard of.
Literally every company on the planet (and every institution) have their employees browsers scanned for installed extensions. Some 200 are DIRECT COMPETITORS to Microsoft.
This is not about the behavior or a rando website trying to stop malicious actors.That's simply misses the point. By far.
use safari or Firefox. and chrome only for incognito web app testing.
HOLD EXECS LEGALLY ACCOUNTABLE, CRIMINALLY AND CIVILLY, FOR THE CRIMES OF THER CORPORATIONS.
I know there has been other LinkedIn hate on HN this week. I know they have some good tools for job searching and hiring. I still wish we as a society could move on and leave this one with MySpace.
I mean, come on. Do I like that they are making use of browser fingerprinting? Not really. But to make it sound like they are "illegally" scanning my computer is ridiculous.
> Every time any of LinkedIn’s one billion users visits linkedin.com, hidden code searches their computer for installed software
and then proceeds not to explain how it’s doing that to me, a Safari user.
Because, spoiler: it isn’t. Or, it might try to search, and fail, and nothing will be collected.
But people do use Chrome, and this trick works there.
This reminds me of the slop bug reports plaguing the curl project.
I am not a lawyer, but site stability seems like a GDPR "Legitimate Interest" in my book anyway.
These aren't good people, but if you make the fine to the organisation much more expensive than the expected return, lock up the whole board and leave their families without a pot to piss in we will see this become the exception instead of the norm.
OMG is literally every article written with LLMs these days I just can't anymore. It's all so tiring.
Would you like me to suggest some AI summarizer tools you could use to more efficiently read AI generated content in the meantime?
well done
I get it... I'm not a good writer. It just sucks that now people are going to assume the stuff I said isn't even me.
I guess I always scored pretty low on the Turing test and never even knew it.
The language is natural. Normal. Human. Who could question its authenticity?
The original example isn't the worst offender, but even small offenders stick out when you can't escape seeing this kind of thing everywhere.
I find myself doing this a lot, and I’m sure even more slips without my notice.
What's tiring is a comment like this. If you don't like the article don't read it -- and don't comment.
What matters is the content!
What's next? "There's punctuation in the sentence, must be AI" ?
Literally 2 days ago, I submitted a post: LinkedIn "final decision", restricting my account and making me feel unheard[0] explaining all of some of the worst customer support I have seen
I wish to give a TLDR, but essentially Linkedin will simply reject your account or give you immense headache if your id's aren't being detected by persona (persona is a really shady-company in it of itself with really not the best security practices) I actually lost count of how many times their customer support just responded with a bland message and just didn't even read my message
This is why, being frustrated out of all of this, I actually sent a linkedin customer support message that I don't feel heard, I want to be heard by human, so if you are a human especially when they were asking ME to go to a public notary to sign an affadavite to get a 1 day old restricted Linkedin account (oh btw, its also illegal for a minor to sign an public notary in my country the way they mentioned and I mentioned it about as many times as I could and that I am willing to share my ID like Aadhaar to them but they genuinely don't hear your messages)
Honestly, my experience just says that there is no human customer support in Linkedin, its really a customer support nightmare worse than even some of the telecom horror stories. Perhaps I should contact browsergate.eu if my incident within my country can also be a case of legality or not, essentially I was cooperating with them to give any document that I can reasonably provide but linkedin forms and everything redirect to 404 as well.You can read my experience in depths but my experience really shows me as to Linkedin customer support being so unhelpful that you question how a company can be so bad. I wish for more ethical alternatives to Linkedin and its nightmare to appear within this space.
(I also had a minor idea of asking Linkedin support to see if they read my messages and literally as I told them that I feel unheard, I would like it if they can make me feel heard and that they are reading my messages so If they are actually reading my message, then respond to me with value of 351/13 and I asked the person who joined Linkedin as to why they joined Linkedin, essentially just one line would suffice to know if I am talking to human or not, they did not respond to any of this and essentially, as far as I can tell, pasted another pre-generated response not hearing me)
[0]: https://news.ycombinator.com/item?id=47586760 (https://smileplease.mataroa.blog/blog/linkedin/)
That seems like the most obvious use case? Or maybe I missed something in the write up.