Summary: Every time you access LinkedIn using a Chrome-based browser, an undisclosed JavaScript routine checks your browser for over 6,000 installed extensions, collects 48 hardware and software details of your device, encrypts this information, and appends it to every API request you make during your session. Researchers call this practice “BrowserGate,” a term not mentioned in LinkedIn’s privacy policy. LinkedIn claims it’s a security measure, while critics consider it large-scale covert surveillance of users’ browsing activities without consent.
When you open LinkedIn, a routine operates unnoticed on your computer. You aren’t informed about it, and LinkedIn’s privacy policy doesn’t describe it. A report from Fairlinked e.V., a European group of LinkedIn users, indicates that LinkedIn inserts a 2.7-megabyte JavaScript bundle into its site, which clandestinely scans for more than 6,000 specific Chrome extensions, gathers detailed fingerprint data of users’ hardware, encrypts it, and sends it to LinkedIn’s servers. This data is then associated with every action you take during your session.
The findings, independently verified by BleepingComputer through their own tests, have been termed “BrowserGate.” While LinkedIn disputes parts of the report, the technical details remain uncontested.
The Script’s Function
LinkedIn refers to this scanning system as “Spectroscopy.” Once the LinkedIn site loads on a user’s browser, the script launches up to 6,222 simultaneous requests, each probing for a specific browser extension by trying to access files linked with that extension’s ID. The presence or absence of a file in response determines whether the extension is installed. All this occurs behind the scenes, without any user notification.
Apart from extensions, the script gathers 48 unique characteristics of the user’s device, such as CPU core count, memory, screen resolution, timezone, language settings, battery, audio information, and storage capacity. Individually, these attributes seem trivial, but collectively they create a unique device fingerprint sufficient to identify a user even after cookies are cleared.
The compiled data is serialized to JSON, encrypted using LinkedIn’s RSA public key identified internally as “apfcDfPK,” and sent to telemetry endpoints as li/track and /platform-telemetry/li/apfcDf. This fingerprint is then permanently embedded as an HTTP header in every API request during the session, meaning LinkedIn receives it with every search, profile view, or message.
What’s Being Sought
The scanning for certain extensions goes beyond basic fraud detection. The BrowserGate report suggests LinkedIn’s list targets over 200 products that rival its own sales tools, like Apollo, Lusha, and ZoomInfo. Knowing which employers are using competitor tools offers LinkedIn insight into companies evaluating or deploying rival products.
The list reportedly includes tools related to neurodivergent conditions, religious beliefs, political interests, and job-hunting activities. In the EU, these categories qualify as sensitive data under the GDPR, necessitating heightened protection. Identifying the use of a job-search extension reveals potential employment intentions without user consent.
Since its inception, the list of extensions LinkedIn scans for has expanded significantly. From 38 extensions in 2017 to 461 by 2024, reaching 6,167 by February 2026, marking a 1,252% increase in two years. Testing by BleepingComputer confirmed the scanning was active in April 2026.
LinkedIn’s Defense and Report Sources
Responding to BleepingComputer, LinkedIn stated, “The claims made here are incorrect,” explaining that the source of the report had their account restricted for violations of LinkedIn’s Terms. LinkedIn’s spokesperson emphasized that the data is not used to “infer sensitive member information,” and that their aim is to protect users’ privacy and site stability by identifying extensions that scrape data without consent.
Fairlinked e.V., connected to the Estonian company Teamfluence Signal Systems OÜ, conducted the report. Teamfluence, led by Steven Morell and Jan Liebling, developed a Chrome extension that faced LinkedIn restrictions. It filed a preliminary injunction against LinkedIn for alleged breaches including the Digital Markets Act—this was denied by the Munich court in January 2026, who found no unlawful obstruction by LinkedIn.
Though financial disagreements don’t affect technical conclusions