TL;DR Every time you visit LinkedIn, hidden JavaScript quietly scans your browser for over 6,200 specific extensions. It isn’t asking permission. It isn’t telling you. And based on what extensions you have installed, it can figure out your religion, your politics, your health conditions, and whether you’re secretly looking for a new job all while you’re just checking your notifications. This is what the commercial user association Fairlinked e.V. is calling “ BrowserGate .” Their investigation found that Microsoft, through LinkedIn, is running what amounts to a large-scale surveillance operation against its own users. We’re talking over a billion accounts. The data being extracted falls squarely into what the GDPR calls “Special Category” the type regulators explicitly prohibit collecting without explicit consent. LinkedIn isn’t just brushing up against the law here; it appears to be breaking it outright, across multiple jurisdictions, simultaneously. LinkedIn Logo How Did We Get Here? There’s a particular kind of scandal that takes a while to feel real. The breach itself isn’t dramatic, no single day when servers went dark or passwords were posted on a hacker forum. Instead, this has been a slow accumulation of code, running silently in the background, while over a billion people logged in to find jobs, network, and post about their professional achievements. The Cambridge Analytica story broke that way too. The data wasn’t stolen in some cinematic heist; it was quietly harvested through an interface that most users would never see. BrowserGate follows the same pattern, except the scale is larger and the legal exposure may be worse. What LinkedIn Is Actually Doing When you load a LinkedIn page, a JavaScript program embedded in the page runs a scan. This isn’t a cookie or a tracking pixel as those are passive. This is active. It probes your browser’s local environment to identify what extensions you have installed. You’re never asked. There’s no consent screen. LinkedIn’s privacy policy doesn’t mention it. What makes this especially invasive isn’t just the scanning. It’s that LinkedIn knows exactly who it’s scanning. You’re logged in. That means every result gets tied to your real name, your employer, your job title, and your location. LinkedIn isn’t running anonymous analytics. It’s building a detailed map of specific, identified individuals at specific companies, every day, at enormous scale. The Three-Layer Detection System The technical architecture here is worth understanding, because it shows how much engineering effort went into not being detected. The system, internally referred to as APFC (Anti-fraud Platform Features Collection) or DNA (Device Network Analysis) uses three methods in sequence, each designed to catch what the previous one missed. Layer one is direct detection. LinkedIn’s code uses the browser’s fetch() API to request known files from specific extension URLs, things like manifest.json or logo.svg. If the request succeeds, LinkedIn logs that extension as present. Layer two kicks in when an extension has blocked direct requests. LinkedIn then probes for specific web-accessible resources that the extension developer might have left exposed, essentially trying a side door after the front door is locked. Layer three is the one that’s hardest to block. LinkedIn calls it “Spectroscopy.” It walks the entire DOM tree of the webpage looking for any element, script, or attribute that an extension has injected. A VPN that modifies even one pixel of the page leaves a fingerprint. Spectroscopy finds it, extracts the extension’s 32-character ID, and sends it back to LinkedIn’s servers. The results from all three layers are encrypted and bundled into a payload sent to https://www.linkedin.com/li/track . And this doesn’t happen once per session – the data goes out with nearly every API call the user makes while browsing the platform. What the 6,222 Extensions Actually Reveal The list of extensions LinkedIn scans for has grown from 38 in 2017 to over 6,100 by early 2026. That’s not organic growth. The acceleration correlates directly with the EU’s Digital Markets Act coming into force. More on that shortly. So what’s on the list? Competitor intelligence. Over 200 extensions in the scan list compete directly with LinkedIn’s Sales Navigator tool, which generates roughly $1 billion a year in revenue. The targets include Apollo, Lusha, ZoomInfo, and Kaspr. By identifying which companies use these tools, LinkedIn can map the customer bases of its direct competitors. That’s not a side effect of the scanning – it’s arguably the core use case. Job search monitoring. 509 job search extensions are on the list. If you’re quietly exploring other opportunities while employed, LinkedIn can detect that. Your current employer is probably also on LinkedIn. The conflict of interest here is obvious and the consequences could be serious. Religious profiling. GDPR Article 9 flatly prohibits processing data that reveals re...