I’ve always said that if a product is free, you’re the product. But Microsoft-owned LinkedIn appears to have taken this to a level that, in my view, feels less like “targeted advertising” and more like digital surveillance. It has been reported that while you’re busy “networking” or “collaborating,” LinkedIn is executing hidden JavaScript to scan your browser for installed extensions. They aren’t just looking for their own plugins; they are allegedly probing for thousands of specific add-ons.
I don’t personally use LinkedIn—I’ve never seen the appeal of a digital suit-and-tie parade—but these reported practices are completely unacceptable. According to researchers, you don’t even need an account to be targeted; simply landing on a public profile or their login page is enough to trigger the reported scan.
This isn’t some conspiracy theory from a dark web forum. It’s being called “BrowserGate”, and investigations by groups like Fairlinked e.V. suggest the scale is staggering. By early 2026, the list of extensions they check for has reportedly ballooned to over 6,000. If you use a Chromium-based browser—which, let’s face it, is most of the planet—you are likely affected by this.
The FOSS Argument: Why Open Source Matters
This is exactly why we prefer Free and Open Source Software (FOSS). When the code is open, it’s transparent. You can audit it, fork it, or simply trust that a community of thousands is keeping it honest. With proprietary “black box” code from Big Tech, you have no idea what is happening behind the scenes. Microsoft can allegedly inject these “spectroscopy” scripts into your browser session, and unless you’re actively monitoring your network traffic or de-obfuscating their JavaScript, you’d never know they were rummaging through your digital environment.
What are they allegedly looking for?
According to the Gadget Review report, they aren’t just curious about your choice of dark mode toggles. By scanning your extensions, LinkedIn can potentially infer incredibly sensitive data that you never explicitly consented to share:
- Political and Religious Leanings: Extensions related to specific advocacy groups or religious calendars.
- Health and Disability Status: Assistive technologies or medical tracking tools.
- Competitive Intelligence: They can reportedly see if you’re using competitor tools, effectively mapping out the “tech stack” of entire companies.
The data is allegedly encrypted and transmitted to LinkedIn and third parties like HUMAN Security. Investigative findings suggest this happens without specific mention in their privacy policy or an “opt-in” box. Lawyers are already pointing to potential violations of GDPR Article 9, which strictly forbids processing special category data without explicit consent.
The Computer Misuse Act Angle
In the UK, we have the Computer Misuse Act 1990. Section 1 covers “unauthorised access to computer material.” If these investigative reports are accurate, executing code that probes your local browser environment for data they have no explicit right to see—and doing so without clear disclosure—could place Microsoft in a precarious legal position. It’s one thing to track a cookie; it’s quite another to inventory the software running on a user’s machine.
The Brave Problem
I know many of you, myself included, use Brave for its built-in shields. However, because Brave is Chromium-based, it doesn’t automatically stop this specific type of “extension fingerprinting” out of the box. LinkedIn’s scripts reportedly use internal file paths to check if an extension is present. While Brave’s shields are great for blocking trackers and ads, this covert scanning often slips through because it mimics legitimate site functionality.
The Home Lab Defence
For those of us running home labs, this is why we obsess over privacy. It’s why we use AdGuard Home, Tailscale, and isolated containers. If you’re still browsing the web in a standard, unhardened browser profile, you’re essentially letting Big Tech’s scripts rummage through your digital drawers.
Legal proceedings under the EU Digital Markets Act (DMA) have reportedly been filed. But we know how slowly the wheels of justice turn. Microsoft will likely tie this up in appeals for years while continuing to harvest data from the mass of users.
What you should do right now
Don’t wait for a regulator to save you. You need to “join the dots” on your own security.
- Aggressive Shielding in Brave: Go to
brave://settings/shieldsand ensure “Fingerprinting blocking” is set to Strict. - Use a hardened secondary browser: For sites like LinkedIn, use Firefox with Multi-Account Containers to isolate them. Firefox handles extension permissions differently than Chromium, making this type of scanning much harder.
- Network-Level Blocking: If you’re running AdGuard Home or Pi-hole, keep an eye on your logs for
humansecurity.comorpixel.ads.linkedin.com.