Every time you visit LinkedIn, the site quietly runs hidden code that checks your browser for over 6,000 specific extensions — and builds a hardware fingerprint of your device while it’s at it. None of this is mentioned in LinkedIn’s privacy policy.
What the Investigation Found
Fairlinked e.V., a European association of commercial LinkedIn users, published findings in early April 2026 detailing an internal LinkedIn system called “Spectroscopy.” The system works like this:
- LinkedIn injects a 2.7-megabyte JavaScript bundle into every page load
- The script fires up to 6,222 simultaneous requests to detect installed browser extensions
- It collects 48 distinct device characteristics — CPU cores, memory, screen resolution, timezone, language settings, battery status, audio hardware, and storage capacity
- The data is encrypted using RSA public key encryption and transmitted to LinkedIn telemetry endpoints
- The fingerprint is injected as an HTTP header into every API request for the rest of your session
BleepingComputer independently verified the fingerprinting script, confirming Fairlinked’s technical findings.
What LinkedIn Is Looking For
The categories of tracked extensions reveal what LinkedIn considers worth watching:
- 509 job search tools — extensions that help users find work. If you’re quietly job-hunting while employed, LinkedIn now has a signal for that.
- 200+ competitive products — sales tools like Apollo, Lusha, ZoomInfo, and Hunter.io that compete directly with LinkedIn’s own Sales Navigator.
- Religious and political tools — extensions associated with specific faiths or political orientations.
- Disability and accessibility tools — extensions designed for neurodivergent users or people with disabilities.
The monitoring has escalated sharply. LinkedIn tracked 38 extensions in 2017, 461 by 2024, and 6,167 by February 2026 — a 1,252% increase in just two years.
Some of That Data Goes to a Third Party
The investigation also found that some fingerprint data is shared with HUMAN Security, an American-Israeli cybersecurity firm, through invisible tracking pixels. This means your browser profile doesn’t just stay with LinkedIn — it’s transmitted to an outside company without your knowledge.
LinkedIn Says It’s About Security
A LinkedIn spokesperson said the company scans for “extensions that scrape data without members’ consent or otherwise violate LinkedIn’s Terms of Service.” The company insists it does not use the data to “infer sensitive information about members.”
But that defence doesn’t explain why LinkedIn needs to know about your religious browser tools, disability aids, or job search extensions. Scanning for 6,167 extensions goes far beyond detecting scrapers. And the fact that none of this appears in the privacy policy makes the security justification harder to accept.
LinkedIn also dismissed the investigation by noting that its lead researcher had their account restricted for scraping — an ad hominem that doesn’t address the technical findings BleepingComputer confirmed independently.
Why This Matters
LinkedIn has nearly a billion users. Most of them open the site for professional purposes — networking, job hunting, business development — with no idea that the platform is silently cataloguing their browser setup.
This is browser fingerprinting at scale, and it creates risks that go beyond typical ad tracking:
Employment risk. If you’re quietly looking for a new job and your employer uses LinkedIn Recruiter or Sales Navigator, the platform could theoretically flag your job search activity based on the extensions you’ve installed.
Discrimination potential. Cataloguing extensions related to religion, politics, neurodivergence, and disability creates a profile that could be used — intentionally or not — to sort users into categories that have nothing to do with professional networking.
No meaningful consent. This scanning happens automatically on page load. There’s no opt-out, no disclosure, and no way to know it’s happening unless you inspect network traffic.
Under GDPR, browser fingerprinting requires informed consent. LinkedIn’s failure to disclose this practice in its privacy policy raises serious questions about compliance, particularly for its hundreds of millions of European users.
What You Can Do
- Use Firefox with strict Enhanced Tracking Protection. Firefox blocks many fingerprinting techniques by default and limits extension detection.
- Install uBlock Origin and configure it to block scripts from unknown telemetry domains.
- Use a separate browser for LinkedIn. If you must use the platform, isolate it in its own browser profile with minimal extensions installed.
- Consider browser extension managers that can disable extensions on specific sites, reducing your fingerprint surface.
- Review your LinkedIn activity. If you’re job-hunting or using competitive tools, be aware that LinkedIn may have signals about both.
The broader lesson: even professional platforms treat your browser as a data source. If a site can see what extensions you’re running, it can infer a lot about who you are and what you’re doing. The only reliable protection is to limit what your browser exposes in the first place.