BrowserGate 2026 · Exclusive Investigation
The Professional Big Brother
LinkedIn BrowserGate: how LinkedIn knows what software is installed on your computer — and how it silently collects religious, political, and medical data from 1.3 billion users. Without consent. With four undisclosed third-party recipients. A forensic investigation.
An employee at a multinational corporation opens LinkedIn from their work computer. They are quietly looking for new opportunities, as tens of millions of people do every day on that platform.
They have installed a resume optimizer, a job aggregator, and a tool to track which recruiters have visited their profile. The moment the page loads, LinkedIn’s JavaScript code fires 6,167 sequential queries into the local browser. Three match. The platform has already mapped their intentions before they have read a single job listing.
Every search you run, every profile you view, every message you send: that digital fingerprint travels silently attached to every network request, like an invisible tag that reads this is you, and this is your computer. For the entire duration of the session.
This is not dystopian science fiction. According to a devastating technical investigation published in spring 2026 by European association Fairlinked e.V. — confirmed independently by at least seven international cybersecurity outlets — this is what LinkedIn has done, and continues to do, to over 1.3 billion registered users worldwide. The operation has a name: BrowserGate.
chunk.905
extracted per user
February 2026
in the target array alone
LinkedIn BrowserGate: The Anatomy of the Secret Machine
Module APFC / DNA — The Hardware Fingerprint
It all begins with a 2.7-megabyte JavaScript file distributed within LinkedIn’s production environment. Researchers at Fairlinked e.V. identified it through meticulous reverse engineering: it is called chunk.905, and it is part of the Ember.js framework that powers the platform’s web interface. Its exact location: line 9571, character offset 443, inside Webpack module 75023. Within this file, three synchronized modules operate silently in the background every time a user opens the site.
The first is the APFC module, also known internally as DNA. It performs full device fingerprinting: up to 48 distinct hardware and software characteristics extracted from the local machine. It goes well beyond screen resolution or operating system. It detects the exact CPU core count, total system memory, battery level, and time zone. It retrieves the local IP address via WebRTC — a technique that bypasses VPNs. It calculates the HTML5 Canvas fingerprint (every computer renders images slightly differently, producing a unique hash), the AudioContext fingerprint (infinitesimal variations in audio processing generate a second stable identifier), and the WebGL rendering signature (the graphics card produces a specific imprint). The synthesis of these 48 parameters generates a deterministic, persistent hardware identifier: a fingerprint that survives cookie deletion, incognito mode, changing internet provider, and session resets.
You can disappear from the conventional web. From LinkedIn, you cannot.
Module AED — Mapping 6,167 Extensions in Seconds
The second module, AED, exploits a structural quirk of the Chromium browser to do something that seemed impossible until recently: know exactly which extensions you have installed. Chromium extensions expose static resources via the chrome-extension:// protocol scheme. If the unique identifier of an extension is known, it is possible to request those files through the browser’s standard fetch() API: a successful response means the extension is present; an error means it is absent. AED fires up to 6,222 simultaneous requests in a single moment, producing in seconds a binary map of every extension installed in the browser. An internal parameter, staggerDetectionMs, introduces a configurable delay between requests to make the traffic less anomalous to a network analyst — a measure explicitly designed to evade security monitoring.
Module Spectroscopy — Closing Every Exit
The third module, Spectroscopy, passively scans the page DOM, intercepting extensions that inject elements into the HTML and that escape AED’s direct probing. It is the safety net that closes every exit. The compiled output of all three modules is serialized to JSON, encrypted with a public RSA key identified internally as apfcDfPK, and stored in the global variable globalThis.apfcDf. The payload is transmitted to two telemetry endpoints — li/track and /platform-telemetry/li/apfcDf — with the transport layer batching up to 29 events per request, retrying up to four times on failure, and applying LZ compression via compressToBase64.
Four Recipients, Zero Disclosure
The most insidious feature emerges after transmission: the encrypted fingerprint is permanently injected as an HTTP header into every single API request made during the session. Every search, every profile viewed, every message sent carries the user’s hardware identifier, indissolubly attached to their verified professional identity.
The data reaches at least four distinct parties. LinkedIn’s own servers via li/track. HUMAN Security (formerly PerimeterX) through a hidden iframe loaded from li.protechts.net, sized at 0×0 pixels, positioned at left: -9999px and marked aria-hidden="true" to hide it even from screen readers: inside this invisible window, encrypted scripts set cross-origin tracking cookies (_px3, _pxhd, _pxvid, _pxcts) completely independent of LinkedIn’s primary cookies. Merchant Pool via a separate fingerprinting script loaded from merchantpool1.linkedin.com, which receives the user’s session cookie and a hardcoded instance ID. Google reCAPTCHA v3 Enterprise, executed silently on every page load to analyze mouse movements and browsing patterns.
None of these data flows are described in LinkedIn’s privacy policy. No consent banner is ever shown. End-to-end encryption renders the payloads unreadable to corporate traffic inspection systems — bypassing SSL proxies, firewalls, and SIEMs without generating a single alert.
LinkedIn BrowserGate: The Trajectory of Surveillance
This practice is not new. Analysis of LinkedIn’s historical client-side packages reveals the foundations of this system have been operational since 2017, when the scans covered 38 extensions — a scale consistent with detecting known professional scraping tools. What has changed over nearly a decade is not only the scale, but the nature of the expansion itself.
| Period | Target extensions | Implied strategic focus |
|---|---|---|
| Q3 2017 | 38 | Basic bot detection, elementary anti-scraping |
| Q1 2024 | 461 | Expanded defense against automated data extraction frameworks, ad-blockers |
| December 2025 | 5,459 | Aggressive mapping of enterprise and consumer software ecosystems |
| February 2026 | 6,167+ | Full environmental profiling — health surveillance, competitive mapping |
Between December 2025 and February 2026, the team responsible for the module integrated 708 new identifiers in under sixty days: approximately 12 new extensions per day, every day, for two months. The hardcoded array alone occupies 409,000 characters of raw source code. The expansion from 2024 to 2026 represents a +1,252% increase in two years. Maintaining a data structure of this size — in constant update, with the manual identification of specific internal files for each of the 6,167 target extensions — is not routine maintenance. It requires dedicated engineering resources, continuous threat intelligence operations, active curation.
12 new extensions added every day. This is not defense. It is strategic construction.
The Identity Paradox: Religious, Political and Medical Profiling
In any other digital context, device fingerprinting tracks pseudonymous entities. On LinkedIn this is structurally impossible. The platform’s entire value proposition is built on deterministic real-world identities: verified legal name, current employer, role, department, professional network history. De-anonymization is not a side effect. It is the base architecture.
The cataloguing of the 6,167 monitored extensions reveals something that transcends any reasonable defensive perimeter.
| Category | Examples identified in the array | Inference / Regulatory risk |
|---|---|---|
| Religious orientation | PordaAI (haram content filter), Deen Shield, Islamic prayer time apps | Religious affiliation — GDPR Art. 9 |
| Political opinions | Anti-woke, Anti-Zionist Tag, No more Musk | Party ideology and geopolitical stance — GDPR Art. 9 |
| Health and neurodivergence | Dyslexia fonts, Simplify (ADHD reading aids), sensory filters for autism | Medical and psychological status — GDPR Art. 9 |
| Job-seeking intent | 509 job search and CV optimization tools | “Flight risk” signal — sold to corporate HR teams |
If an employee is actively seeking alternative employment through extensions installed in their local browser, and that telemetry is transmitted to a centralized repository accessible to HR teams via LinkedIn’s premium recruitment products, the platform becomes a labor market surveillance mechanism. The employee who was quietly exploring new opportunities has already lost the informational advantage. Leaving LinkedIn, in many industries, is not a viable choice without real professional costs. The opt-out is not free. Implied consent to use the platform cannot be equated with explicit consent to the collection of this data — as the Irish DPC has already established in a structurally analogous context.
LinkedIn BrowserGate: Industrial Espionage at Scale
The BrowserGate architecture monitors with surgical precision over 200 enterprise products competing directly with LinkedIn’s sales and recruitment ecosystem: Salesforce, HubSpot, ZoomInfo, Apollo, Lusha, Pipedrive. By detecting which specific individuals within a given company have installed these extensions, LinkedIn can build in real time a map of the software supply chain of virtually every major enterprise on the planet. In traditional corporate espionage, obtaining a rival’s complete client list would require an illegal network intrusion. The BrowserGate architecture obtains the same intelligence through the passive, unconsented monitoring of clients’ own workforces.
The most serious dimension emerges in the context of Digital Markets Act obligations. In September 2023, the European Commission designated Microsoft and LinkedIn as regulated gatekeepers, mandating platform openness to third-party developers. LinkedIn responded by launching public APIs, presented as proof of compliance in a 249-page document. Fairlinked’s empirical tests then quantified the real ratio between the two infrastructures.
Asymmetry ratio: 2,250,000 to 1 — In the EU compliance dossier, the word “Voyager” does not appear once.
The EU ordered LinkedIn to open the platform. LinkedIn built a system to identify and penalize every user of third-party tools.
LinkedIn BrowserGate: The Legal Front
California Class Action — Ganan v. LinkedIn Corporation
On April 6, 2026, class action Ganan v. LinkedIn Corporation (Case 5:26-cv-02968) was filed with the United States District Court for the Northern District of California. The legal framing is surgical: the scanning system represents a browser interrogation regime “materially broader than was reasonably necessary” for the declared narrow anti-abuse purposes. The material collected reached information residing in users’ browsers and devices that they reasonably expected LinkedIn would not probe, enumerate, classify and transmit in the absence of clear notice and informed authorization. The California Invasion of Privacy Act provides $5,000 per individual violation. With hundreds of millions of American Chromium users, the aggregate financial exposure is mathematically incalculable.
European Front — GDPR, DMA, and German Criminal Liability
In Europe, the Irish Data Protection Commission — which in October 2024 had already fined LinkedIn €310 million for GDPR violations related to behavioral advertising — now faces a system that scans extensions revealing religious practices, medical conditions and political opinions, linking them to verified real names. The GDPR classifies this information as “special category data” under Article 9: processing is prohibited without explicit consent. Article 83(5) mandates maximum penalties of up to 4% of Microsoft’s total global annual turnover. In Germany, legal experts have identified a potential vector of individual criminal liability for responsible executives under Section 202a of the StGB: up to three years’ imprisonment for unauthorized access to data.
October 2024
GDPR Art. 9 penalty
CIPA California
for executives (DE)
The Defense and Its Limits
LinkedIn’s defense has concrete technical foundations. A senior engineer provided sworn testimony in German proceedings framing the telemetry as a legitimate anti-scraping tool, and Munich courts already denied a preliminary injunction to Teamfluence Signal Systems in January 2026. An independent audit by Fortra confirmed that in a 10% sample of the examined extensions, the large majority was active greyware or malware. But the audit analyzed only 10% of the sample — and in the remaining portion reside the religious, medical and political categories that no security justification can contain. The legally grounded critique is not about the principle of anti-scraping defense. It is about the targets that defense chose to include.
What Is LinkedIn BrowserGate? Everything You Need to Know About the 2026 Privacy Scandal
LinkedIn BrowserGate is the name given to a documented technical and legal scandal uncovered in spring 2026 by Fairlinked e.V., an independent European digital rights association. The investigation revealed that LinkedIn embeds three JavaScript modules — APFC/DNA, AED, and Spectroscopy — inside its standard web interface. Together, they generate a persistent hardware fingerprint of every user’s device, map up to 6,167 browser extensions installed on their machine, and transmit this data to at least four parties without consent or privacy policy disclosure. Because LinkedIn operates on verified professional identities, the collected data cannot be anonymized: extensions associated with religious practices, medical conditions, political views, and job-seeking behavior are all included in the monitored list. As of May 2026, the operation faces class action litigation in California under CIPA, regulatory inquiry by the Irish Data Protection Commission under GDPR Article 9, and potential enforcement action by the European Commission under the Digital Markets Act.
- Fairlinked e.V. — BrowserGate: complete forensic technical investigation (browsergate.eu)
- BleepingComputer — LinkedIn admits to scanning users’ browser extensions
- TechRadar — BrowserGate: independent analysis and LinkedIn’s official response
- The Next Web — LinkedIn, HUMAN Security and the undisclosed telemetry system
- Tom’s Hardware — Reverse engineering the AED module: how the extension scan works
- Security Affairs — BrowserGate and the global legal risk: CIPA, GDPR, DMA
- Cybernews — Fortra audit: analysis of the sampled LinkedIn-monitored extensions
- CourtListener — Ganan v. LinkedIn Corporation, Case 5:26-cv-02968, NDCA (April 6, 2026)
- Data Protection Commission Ireland — LinkedIn decision: €310 million fine, October 2024
Dietro l’Algoritmo
Is LinkedIn BrowserGate Illegal? What GDPR, CIPA, and the Digital Markets Act Say About Covert Browser Surveillance
The question the courts will have to resolve in the coming years is not only about LinkedIn. It is about the architecture of the professional web in its current form. A platform that holds the verified identity of 1.3 billion people — and that in many sectors is not optional but an operational prerequisite — occupies a structural position that existing law did not foresee. It is not a social network. It is not a professional services provider. It is something that does not yet have a precise legal name: a mandatory private infrastructure that monitors the conditions of its own use.
In the meantime, the code chunk.905 loads silently with every visit. Twelve new extensions are added to the target list every day. And the data from your browser continues its journey toward servers you never authorized to receive it.
