Every time you load LinkedIn in Chrome, Edge, or Brave, a 2.7 MB JavaScript bundle fires off thousands of parallel requests probing your browser for installed extensions. Not a handful. According to Fairlinked e.V.'s investigation, the list sits at over 6,000 specific extension IDs as of early 2026. Up from roughly 460 in 2023 and around 3,000 a year later. The results are encrypted and sent back to LinkedIn's servers. None of this is disclosed in their privacy policy. There is no opt-out. It runs on every single page load.
Browser fingerprinting used to be a shady ad-tech trick. Now a Microsoft-owned professional identity platform, where your real name, employer, and job title are permanently attached, is doing mass extension scanning at industrial scale with zero disclosure. This normalises invasive browser profiling for every professional who has no real choice but to use the platform.
The mechanism is not hidden. Open DevTools on any LinkedIn page and watch the Network tab fill with failed requests to chrome-extension:// URLs. The script checks whether specific files exist inside your installed extensions by requesting resources those extensions have declared publicly accessible. If the file loads, the extension is installed. If it 404s, it isn't. Simple, fast, and running silently in the background while you scroll your feed.
What the scan finds matters more than how it works. Around 509 of the flagged extensions are job search tools, meaning LinkedIn can identify users actively looking for work while their current employer's account sits on the same platform. Others identify practicing Muslims through prayer and content-filtering extensions, flag political orientation, and identify neurodivergent users through accessibility and focus aids. Over 200 extensions belong to competing sales platforms including Salesforce, Apollo, Lusha, HubSpot, and ZoomInfo. That last category gives LinkedIn a live map of which tools its corporate customers are running elsewhere.
The list ballooned during the exact period when EU regulators were pushing LinkedIn to open up under the Digital Markets Act. Critics see the timing as no coincidence. You want third-party tools on our platform? Fine. We'll detect exactly which ones you're using.
This is not anonymous fingerprinting. It is tied to verified professional identities across LinkedIn's over one billion registered members. The power imbalance is real. A recruiter can see your profile. Your employer can see your profile. LinkedIn can now also see your browser.
Who Else Gets the Data
LinkedIn is not processing this data alone. The fingerprinting code pulls in services from HUMAN Security (formerly White Ops). In 2022, HUMAN Security merged with PerimeterX, an Israeli firm founded by veterans of Unit 8200. That is the Israeli Defence Forces' signals intelligence and cyberwarfare division. That is not a conspiracy theory. It is public corporate history. Your browser profile, tied to your verified professional identity, flows into infrastructure with direct lineage to a military intelligence unit. Microsoft owns LinkedIn. Microsoft also makes Edge. The company is clearly comfortable with how much a browser can be made to reveal.
Under GDPR Article 9, data revealing religious beliefs, political views, or health conditions is special-category data requiring explicit consent. LinkedIn does not seek that consent and does not disclose the scanning. The fact that the data could reveal those traits is enough. LinkedIn saying they "do not actively infer them" does not resolve the consent problem.
LinkedIn's Response
LinkedIn's public response is that the scanning detects extensions violating their terms of service, improves bot defences, and flags unusual data-fetching. The person behind the Fairlinked investigation had their account restricted for scraping before publishing, and LinkedIn made sure to mention that. A German court rejected related injunction claims. LinkedIn called the campaign an attempt to relitigate in the court of public opinion. None of that changes the facts on the ground. The code still runs, the data still flows to HUMAN Security, and the privacy policy still says nothing.
The scan only runs on Chromium-based browsers. Firefox aborts it entirely because the extension API works differently. If you use LinkedIn, switching to Firefox is the immediate fix. uBlock Origin with custom filter rules targeting the fingerprinting scripts will also block it in Chromium browsers. The full extension list and technical breakdown are at browsergate.eu.
Blackout VPN exists because privacy is a right. Your first name is too much information for us.
Keep learning
FAQ
What is LinkedIn actually scanning for?
LinkedIn's JavaScript probes your browser for over 6,000 specific extension IDs, including job search tools, religious and political extensions, accessibility aids, and competitor sales platforms like Salesforce, Apollo, and HubSpot.
How does the scanning work technically?
A 2.7 MB JavaScript bundle fires parallel fetch requests for files inside specific browser extensions. If the file loads, the extension is installed. If it returns a 404, it isn't. The results are encrypted and sent to LinkedIn's servers.
Who is HUMAN Security?
HUMAN Security is a US cybersecurity firm formerly known as White Ops. In 2022 it merged with PerimeterX, an Israeli firm founded by veterans of Unit 8200, the Israeli Defence Forces' signals intelligence and cyberwarfare division.
Does this affect Firefox users?
No. The scan targets Chromium-based browsers only. Firefox handles extension APIs differently and the script aborts without collecting data.
Is this illegal under GDPR?
Fairlinked argues it violates GDPR Article 9, which requires explicit consent to process data revealing religion, politics, or health conditions. No ruling has been made on the scanning itself. EU regulatory proceedings are ongoing.