When companies get caught doing this sort of thing, the response is almost always the same: "we're using this technology to combat fraud," or "ensure positive user experience," or "save computing resources," or some other hog wash.

The simple truth, there's no reason to be collecting data that can be used to identify a user across the web if they're not signed in to your service.

The harm of companies like Experian or LinkedIn being able to correlate all of your web traffic back to you is not hard to imagine. Though, it begs a simple question: should a company involved in my professional life have access to my personal information obtained without my explicit consent?

No. End stop.

This is not new

According to records documented by browsergate.eu and a GitHub repository tracking the extension list, LinkedIn's extension scanning dates to at least 2017, when the list contained 38 entries. My count? As of April 2026, LinkedIn has identified and tracks 6,278 extensions.

The list is actively maintained and expanding.

At this scale the catalog was not built by hand. Someone wrote tooling to crawl Chrome Web Store extension packages, parse each manifest for web-accessible resources, identify a probe target, and add the entry to the list. This is infrastructure that has been in place for nearly a decade.

I verified this myself

I opened LinkedIn in Chrome. I opened developer tools (F12 or Inspect) and the console filled with errors.

Each one of those errors is LinkedIn asking your computer if you have a specific extension installed.

Skip to the bottom for more technical details.

LinkedIn already knows so much about you, why tell them more?

Most fingerprinting operations work against anonymous visitors. The fingerprint allows a site to recognize a returning browser without cookies.

The profile that results is technically identified but not necessarily personally identified. The site knows a device, not a person. Still an issue, but not inherently linked to any personal information.

LinkedIn is not working with anonymous visitors.

LinkedIn knows your name. Employer. Job title. Career history. Salary range. Professional network. Location.

You provided them with all of it.

When LinkedIn's extension scan runs on your browser, it is not building a device profile for an unknown visitor. It is appending a detailed software inventory to a profile that already contains your verified professional identity.

The harm is specific.

Hundreds of job search extensions are in the scan list. LinkedIn knows which of its users are quietly looking for work before they've told their employer.

Extensions tied to political content, religious practice, disability accommodation, and neurodivergence are in the list. Your browser software becomes a source of inferences about your personal life, attached without your knowledge to your professional identity.

And because LinkedIn knows where each user works, none of this is only linked to an individual. The scan results from one employee contribute to a picture of their organization. Across enough employees, LinkedIn can map a company's internal tooling, security products, competitor subscriptions, and workflows, without that organization's knowledge or consent. Your browser becomes a window into your employer.

None of this is disclosed in LinkedIn's privacy policy. There is no mention of extension scanning in any public-facing document. No user was asked for consent. No user was informed.

None of this is disclosed in LinkedIn's privacy policy

Why this matters beyond LinkedIn

The precedent

LinkedIn is using these extension lists to make inferences and take enforcement actions against users who have them installed. According to browsergate, Milinda Lakkam confirmed this under oath, saying, "LinkedIn took action against users who had specific extensions installed."

Users who had no idea their software was being inventoried, no idea the inventory was being used against them, and no way to know it was happening because none of it appears in LinkedIn's privacy policy.

The fingerprinting ecosystem problem

Browser fingerprinting is usually discussed as a tracking problem contained to one site. A site collects signals, builds a profile, recognizes you across sessions. The problem stays local.

That framing understates what's actually happening.

LinkedIn's extension scan produces a detailed software inventory linked to a verified identity. That profile doesn't have to stay at LinkedIn to be useful.

If LinkedIn purchases a third party behavioral dataset and your fingerprint appears in it, they can append that data to what they already know about you. Your browsing behavior off LinkedIn, your purchase history, your location patterns, your interests, all of it becomes part of a profile that is linked to your LinkedIn account.

The reverse is also true. LinkedIn integrates third party scripts including Google's reCAPTCHA enterprise, loaded on every page visit. Data flows between platforms. A fingerprint that LinkedIn has linked to your verified identity can inform advertising and tracking systems far outside linkedin.com.

You log into LinkedIn once, and the fingerprint that visit produces can follow you across the web.

This is the larger ecosystem problem. Browser fingerprinting is the connective tissue of the modern surveillance economy. It is how profiles built on one platform get enriched with data from another. It is why you get Instagram or Facebook ads for the item you were just looking up on Google.

It is how your professional identity, your browsing behavior, your installed software, and your location history get stitched together into something none of those individual platforms could build alone.

The people this is a real threat to

For the journalists, lawyers, researchers, and human rights investigators, that distinction is operationally significant. Your LinkedIn profile is one of the most detailed verified identity documents that exists about you online. You built it deliberately, for professional purposes, with your real name attached. The extension scan means that profile now includes a record of every privacy tool, security extension, research tool, and productivity application installed in your browser, collected without your knowledge, linked to your verified identity, and transmitted encrypted to LinkedIn's servers with every action you take on the platform.

If you use LinkedIn and Chrome, this is happening to you right now.

Advanced JavaScript fingerprinting

The extension scan is not a standalone feature. It is part of a broader device fingerprinting system LinkedIn calls APFC, Anti-fraud Platform Features Collection, internally also referred to as DNA, Device Network Analysis.

While LinkedIn is a little more forthcoming about these tracking methods, as they are commonly included on commercial websites, this establishes a sort of pattern of behavior.

That system collects 48 browser and device characteristics on every visit: canvas fingerprint, WebGL renderer and parameters, audio processing behavior, installed fonts, screen resolution, pixel ratio, hardware concurrency, device memory, battery level, local IP address via WebRTC, time zone, language, and more.

The extension scan is one input into a much larger profile.

Technically, what's happening?

LinkedIn's code fires a fetch() request to a chrome-extension:// URL, looking for a specific file installed to chrome. When the extension isn't installed, Chrome blocks the request and logs the failure. When it is installed, the request resolves silently and LinkedIn records it.

You can verify this yourself. Open LinkedIn in Chrome. Open developer tools. Go to the console tab. Watch what happens. Every red error is a part of your fingerprint.

The code

The system responsible for this lives in some JavaScript code that LinkedIn runs in every Chrome visitors browser. The file is approximately 1.6 megabytes (it's changed since browsergate's analysis) of minified and partially obfuscated JavaScript.

Standard minification compresses code for performance. Obfuscation is a separate step that makes code harder to read and understand. LinkedIn chose to obfuscate the exact module containing the extension scanning system, while also burying it in a JavaScript file thousands of lines long.

Inside that file, there is a hardcoded array of browser extension IDs. As of February 2026 that array contained 6,278 entries. Each entry has two fields: a Chrome Web Store extension ID and a specific file path inside that extension's package.

The file path is not incidental. Chrome extensions expose internal files to web pages through the web_accessible_resources field. When an extension is installed and has declared a file as accessible, a fetch() request to chrome-extension://{id}/{file} succeeds. When it isn't installed, Chrome blocks the request. LinkedIn has identified a specific accessible file for each of the 6,278 extensions in its list and probes for it directly.

The scan runs in two modes. The first fires all requests simultaneously using Promise.allSettled(), probing all of the extensions in parallel. The second fires them sequentially with a configurable delay between each request, spreading network activity over time and reducing its visibility in monitoring tools. LinkedIn can switch between modes using internal feature flags. The scan can also be deferred to requestIdleCallback, which delays execution until the browser is idle so the user sees no performance impact.

A second detection system called Spectroscopy operates independently of the extension list. It walks the entire DOM tree, inspecting every text node and element attribute for references to chrome-extension:// URLs. This catches extensions that modify the page even if they aren't in LinkedIn's hardcoded list. Together the two systems cover extensions that are merely installed and extensions that actively interact with the page.

Both systems feed into the same telemetry pipeline. Detected extension IDs are packaged into AedEvent and SpectroscopyEvent objects, encrypted with an RSA public key, and transmitted to LinkedIn's li/track endpoint. The encrypted fingerprint is then injected as an HTTP header into every subsequent API request made during your session. LinkedIn receives it with every action you take for the duration of your visit.

The legal context

browsergate.eu has documented the legal arguments in detail and their work is worth reading in full. The relevant context here is this: in 2024, Microsoft was designated as a gatekeeper under the EU's Digital Markets Act. LinkedIn is one of the regulated products. The DMA requires gatekeepers to allow third party tools access to user data and prohibits gatekeepers from taking action against users of those tools.

browsergate.eu argues that LinkedIn's systematic enforcement against third party tool users, combined with the covert extension scanning used to identify them, constitutes non-compliance with that regulation. Whether that argument prevails is a legal question.

What is not a question is that a criminal investigation is now open. The Cybercrime Unit of the Bavarian Central Cybercrime Prosecution Office in Bamberg confirmed an investigation. That office handles serious cybercrime cases with cross-jurisdictional reach. This is not a compliance dispute. It is a criminal matter.

I contacted browsergate.eu directly while preparing this piece. They confirmed the criminal investigation, provided the case number, and indicated the full court documents are being prepared for public release.

I will update this article when they are available.