(Photo by Klaudia Radecka/NurPhoto via Getty Images)
UPDATE 4/7: LinkedIn was hit with two class-action lawsuits on Monday over the browser extensions scanning. However, LinkedIn says the dispute mischaracterizes practices already disclosed in its privacy policy.
Original Story:
LinkedIn is fending off allegations that it’s been secretly spying on users using a little-known JavaScript file built to scan for what browser extensions you use.
A German group that represents commercial LinkedIn users, Fairlinked e.V., claims the Microsoft-owned site is “running one of the largest corporate espionage operations in modern history.” In a report, Fairlinked notes that LinkedIn’s website uses a 2.7MB JavaScript file designed to detect Chrome browser extensions.
“The program runs silently, without any visible indicator to the user,” the group says. "It does not ask for consent. It does not disclose what it is doing. It reports the results to LinkedIn’s servers. This is not a one-time check. The scan runs on every page load, for every visitor.”
This browser extension “fingerprinting” technique has been spotted before, but it was previously found to probe only 2,000 to 3,000 extensions. Fairlinked alleges that LinkedIn is now scanning for 6,222 extensions that could indicate a user’s political opinions or religious views. For example, the extensions LinkedIn will look for include one that flags companies as too “woke,” one that can add an “anti-Zionist” tag to LinkedIn profiles, and two others that can block content forbidden under Islamic teachings.
(Credit: Browsergate.eu)It would also be a cakewalk to tie the collected extension data to specific users, since LinkedIn operates as a vast professional social network that covers people’s work history. Fairlinked's concern is that Microsoft and LinkedIn can allegedly use the data to identify which companies use competing products.
"LinkedIn has already sent enforcement threats to users of third-party tools, using data obtained through this covert scanning to identify its targets,” the group claims.
However, LinkedIn claims that Fairlinked mischaracterizes a LinkedIn safeguard designed to prevent web scraping by browser extensions. “We do not use this data to infer sensitive information about members,” the company says.
“To protect the privacy of our members, their data, and to ensure site stability, we do look for extensions that scrape data without members’ consent or otherwise violate LinkedIn’s Terms of Service,” LinkedIn adds.
"Here’s why: some extensions have static resources (images, JavaScript) available to inject into our web pages. We can detect the presence of these extensions by checking if that static resource URL exists," the company says. "This detection is visible inside the Chrome developer console. We use this data to determine which extensions violate our terms, to inform and improve our technical defenses, and to understand why a member account might be fetching an inordinate amount of other members' data, which, at scale, impacts site stability."
The statement goes on to allege that Fairlinked is from a developer whose account was previously suspended for web scraping. One of the group's board members is listed as “S.Morell,” which appears to be Steven Morell, the founder of Teamfluence, a tool that helps businesses monitor LinkedIn activity.
(Credit: Teamfluence)LinkedIn adds: “They attempted to obtain an injunction in Germany, alleging LinkedIn had violated various laws. The court ruled against them and found their claims against LinkedIn had no merit, and in fact, this individual’s own data practices ran afoul of the law. Unfortunately, this is a case of an individual who lost in the court of law, but is seeking to re-litigate in the court of public opinion without regard for accuracy.”
Still, the Microsoft-owned site is facing some blowback for not clearly disclosing the browser extension scanning in LinkedIn’s privacy policy. That said, the policy does say: "We also get information about your network and device (e.g., IP address, proxy server, operating system, web browser and add-ons."
(LinkedIn)In the meantme, Fairlinked is soliciting donations for a legal fund to take on Microsoft and is urging the public to encourage local regulators to intervene.
Editor's note: This story has been updated to include the screenshot and add a line about LinkedIn mentioning collecting data about browser add-ons in the site's privacy policy.