LinkedIn runs hidden JavaScript that checks for thousands of Chrome extensions inside users’ browsers, links those findings to identifiable LinkedIn profiles, and shares the results with third parties — a practice uncovered by Fairlinked e.V. in early 2026 that now sits at the intersection of GDPR Article 9 and the EU Digital Markets Act (DMA).

What was discovered and why it’s bigger than anti-scraping

Researchers at Fairlinked e.V. documented that LinkedIn’s client-side code actively probes for more than 6,000 Chrome extensions and passively inspects the page DOM for extension-related URLs. The company bundles the presence (or absence) of those extensions with other device characteristics, encrypts the fingerprint, and appends it to every API request during a user session.

That list of extensions includes LinkedIn competitors (Apollo, Lusha, ZoomInfo), job-search tools, language addons and extensions that can reveal highly sensitive attributes such as political views or religion. Because LinkedIn profiles are tied to verified identities and employers, the collected data links identifiable people to private attributes — far beyond a narrow anti-scraping signal.

How the probe operates and where data moves

The detection uses two distinct techniques. First, active probing: the script requests known web-accessible files using Chrome’s extension URL scheme (chrome-extension://…), confirming an extension exists when a resource responds. Second, passive observation: the script scans the DOM for extension-inserted URLs and page modifications. Both feeds are merged into a fingerprint that LinkedIn encrypts and injects into an HTTP header on every API call.

Recommended Reading

Insider sabotage, not ransomware: how a Kansas City engineer used a hidden VM to lock admins out of 3,538 Windows systems

Between Nov 9 and Nov 25, 2023, Daniel Rhyne — a 57‑year‑old core infrastructure engineer — used legitimate administrator privileges and a hidden virtual machine on his company laptop to change passwords and schedule shutdowns that locked IT staff out of 254 Windows servers and 3,284 workstations. This was an insider sabotage operation that looked […]

Insider sabotage, not ransomware: how a Kansas City engineer used a hidden VM to lock admins out of 3,538 Windows systems

Fairlinked’s report also ties parts of the flow to third parties. Some fingerprints are relayed via hidden iframes to external firms such as HUMAN Security, a US–Israeli cybersecurity company. LinkedIn has not publicly published detailed documentation of those third‑party integrations.

Why EU regulators and courts have a live test case

The practice triggers concrete legal questions under the GDPR and the DMA. Privacy lawyers in Europe point to Article 9 of the GDPR because some of the extensions scanned can reveal “special categories” of data — religion, political opinions, or health-related attributes — which normally require explicit consent for processing. Fairlinked’s public filing frames the scans as undisclosed profiling rather than a narrowly targeted anti-scraping measure.

Enforcement is already in motion: a German court recently rejected a preliminary injunction from a developer who challenged LinkedIn’s enforcement technique, but that ruling does not close other legal routes or regulatory scrutiny. Separately, LinkedIn received an EU gatekeeper designation under the DMA, which creates a tension: the DMA’s openness obligations for third-party tools sit uneasily with covert client-side surveillance of users who install third-party extensions.

Immediate choices for organizations and what to watch next

For IT teams and privacy officers: treat this as a new vector to audit. Practical steps include inventorying employee browser extensions, restricting nonessential extensions in managed environments, and testing LinkedIn access through privacy-focused browsers (Firefox blocks much of this probing). Fully disabling JavaScript blocks the scans but is impractical for routine LinkedIn use; extension whitelisting or containerized browsing sessions are more realistic mitigations.

Regulatory checkpoints to monitor: (1) GDPR enforcement actions or fines that interpret Article 9 in the context of extension-derived attributes; (2) DMA clarifications from the European Commission about whether gatekeepers may perform undisclosed client-side scans of third‑party tools; (3) any public disclosure or change from LinkedIn about how third parties such as HUMAN Security receive or process fingerprint data.

Quick Q&A

When could regulators act? Enforcement timelines vary; expect months to years. Watch national data-protection authorities in Germany and Ireland and any Commission-level DMA guidance as the next visible milestones.

Can users stop the scanning today? Partly. Firefox and some privacy browsers block extension probing; corporate policies can block or limit extensions. Disabling JavaScript blocks the technique but breaks LinkedIn’s site functionality.

Does LinkedIn have a legal defense? LinkedIn claims the scans target extensions that violate terms or enable scraping. That defense hinges on proportionality, disclosure and whether collected attributes fall into GDPR special categories — issues courts and regulators will have to resolve.