https://www.linkedin.com/pulse/how-linkedin-knows-which-chro...
With that said, the chrome web store ecosystem has bigger problems infront of them. For example, loads of extensions outright just send every URL you visit (inc query params) over to their servers. Things like this just shouldn't happen, imagine you installed an extension from a few years back and you forgot about it, that's what happened to me with WhatRuns, which also scraped my AI chats.
I'm working on a tool to let people scan their extensions (https://amibeingpwned.com/) and I've found some utterly outrageous vulnerabilities, widespread affiliate fraud and widespread tracking.
As an end user I could not find an option to open the side panel
It's either the extension's choice to become detectable ("externally_connectable" is off by default) or it makes unique changes to websites that allow for its detection.
All of these are opt-in by the extensions and MV3 actually force you to specify which domains can access your extension. So, again, each extension must explicitly allow the web to find it.
So this probably depends on the country.
These aren't good people, but if you make the fine to the organisation much more expensive than the expected return, lock up the whole board and leave their families without a pot to piss in we will see this become the exception instead of the norm.
> The scan doesn’t just look for LinkedIn-related tools. It identifies whether you use an Islamic content filter (PordaAI — “Blur Haram objects, real-time AI for Islamic values”), whether you’ve installed an anti-Zionist political tagger (Anti-Zionist Tag), or a tool designed for neurodivergent users (simplify).
You'd say that's a ridiculous and illegal thing to do without you explicit consent, right?
Maybe you personally don't mind and would be happy to offer that consent. But they're doing it without your consent, regardless of whether you want it or not.
This is not. To violate trust, there should have been some.
https://www.eeoc.gov/prohibited-employment-policiespractices
LinkedIn's scanning for browser extensions used by protected groups allows them to provide illegal services to US-based recruiters. I have no idea if they actually do it or not, and am not a lawyer, but common sense suggests there's enough here for a class action suit to move into discovery.
If you mean the _browser_, then I agree in principle, but - it is a browser offered to you by Alphabet. And they are known to mass surveillance and use of personal information for all sorts of purposes, including passing copies to the US intelligence agencies.
But of course, this is what's promoted and suggested to people and installed by default on their phones, so even if it's Google/Alphabet, they should be pressured/coerced into respecting your privacy.
If I had to guess: I sought that automatic content blurrer, neurodivergent website simplifier, or anti-Zionist tagger actually work. They’re all just piggybacking on trending topics to get users to install them and then forget about them, then they exfiltrate the data when you visit LinkedIn.
I am a little surprised something like CORS doesn't apply to it, though.
This is fair from Linkedin IMO as I've seen loads of different extensions actually scraping the linkedin session tokens or content on linkedin.
It's not clear though, either they only tested against chrome-based browsers or Firefox isn't enabling them to do so.
edit: I answered before I go fully through the article but it does say it's only Chrome based.
> The extension scan runs only in Chrome-based browsers. The isUserAgentChrome() function checks for “Chrome” in the user agent string. The isBrowser() function excludes server-side rendering environments. If either check fails, the scan does not execute.
> This means every user visiting LinkedIn with Chrome, Edge, Brave, Opera, Arc, or any other Chromium-based browser is subject to the scan.
function a() { return "undefined" != typeof window && window && "node" !== window.appEnvironment; }
function s() { return window?.navigator?.userAgent?.indexOf("Chrome") > -1; }
if (!a() || !s()) return;
I'm happy to see that this doesn't hit firefox. I wonder if safari is impacted.
> Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions. The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them to LinkedIn’s servers.
This does seem invasive. It also seems like what I’d expect to find in modern browser fingerprinting code. I’m not deeply familiar with what APIs are available for detecting extensions, but the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”).
I’m certainly not endorsing it, do think it’s pretty problematic, and I’m glad it’s getting some visibility. But I do take some issue with the alarmist framing of what’s going on.
I’ve come to mostly expect this behavior from most websites that run advertising code and this is why I run ad blockers.
My point isn’t that this is acceptable or that we shouldn’t push back against it. We should.
My point is that this doesn’t sound particularly surprising or unique to LinkedIn, and that the framing of the article seems a bit misleading as a result.
Your point of "I think we’d find that many websites we use are doing this" doesn't make LinkedIn's behavior ok!
By your logic, if our privacy rights are invaded which is illegal in most jurisdiction, and then it become ok because many companies do illegal things??
I’m saying that the framing of the article makes this sound like LinkedIn is the Big Bad when the reality is far worse - they’re just one in a sea of entities doing this kind of thing.
If anything, the article undersells the scale of the issue.
We’ve known for a long time that advertisers/“security” vendors use as many detectable characteristics as possible to constrict unique fingerprints. This seems like a major enabler of even more invasive fingerprinting and that seems like the bigger issue here.
Point being: Google will 100% give your info to the police, regardless of whether the police have the legal right to it or not, and regardless of whether you actually committed a crime or not.
Bonus points: the federal court that ruled on the case said that it likely violated the fourth amendment, but they allowed the police to admit the evidence anyway because of the "good faith" clause, which is a new one for me. Time to add it to the list of horribly abusable exceptions (qualified immunity, civil asset forfeiture, and eminent domain coming to mind).
This is blatant misinformation. Firefox (and all of its derivatives) also does this.
1. Do a request to `chrome-extension://<extension_id>/<file>`. It's unclear to me why this is allowed.
2. Scan the DOM, look for nodes containing "chrome-extension://" within them (for instance because they link to an internal resource)
It's pretty obvious why the second one works, and that "feels alright" - if an extension modifies the DOM, then it's going to leave traces behind that the page might be able to pick up on.
The first one is super problematic to me though, as it means that even extensions that don't interact with the page at all can be detected. It's unclear to me whether an extension can protect itself against it.
Big +1 to that.
The charitable interpretation is that this behavior is simply an oversight by Google, a pretty massive one at that, which they have been slow to correct.
The less-charitable interpretation is that it has served Google's interests to maintain this (mis)feature of its browser. Likely, Google or its partners use similar to techniques to what LinkedIn/Microsoft use.
This would be in the same vein as Google Chrome replacing ManifestV2 with ManifestV3, ostensibly for performance- and security-related purposes, when it just so happens that ManifestV3 limits the ability to block ads in Chrome… the major source of revenue for Google.
The more-fully-open-source Mozilla Firefox browser seems to have had no difficulty in recognizing the issues with static extension IDs and randomizing them since forever (https://harshityadav.in/posts/Linkedins-Fingerprinting), just as Firefox continues to support ManifestV2 and more effective ad-blocking, with no issues.
Of course Google is going to back door their browser.
> Of course Google is going to back door their browser.
Aside from the fact that other browsers exist, this makes no sense because Google would stand to gain more by being the only entity that can surveil the user this way, vs. allowing others to collect data on the user without having to go through Google's services (and pay them).
I think Android’s ‘permissions’ early on (maybe it’s improved?) and Microsoft’s blanket ‘this program wants to do things’ authorisation pop up have set a standard here that we shouldn’t still be following.
The list of extensions they scan for has been extracted from the code. It was all extensions related to spamming and scraping LinkedIn last time this was posted: Extensions to scrape your LinkedIn session and extract contact info for lead lists, extensions to generate AI message spam.
That seems like fair game for their business.
I think it’s kind of funny that HN has gone so reactionary at tech companies that the comments here have become twisted against the anti-spam measures instituted on a website that will never trigger on any of their PCs, because HN users aren’t installing LinkedIn scrape and spam extensions.
Indeed, so I gather all of you have canceled your LI account over this?
I never made one in the first place because it was pretty clear to me that this company - even before the acquisition - had nothing good in mind.
And probably also vibe-coded therefore 2 tabs of LinkedIn take up 1GB of RAM (was on the front page a few days back).
Expecting and accepting this kind of thing is why everyone feels the need to run an ad-blocker.
An ad-blocker also isn’t full protection. It’s a cat and mouse game. Novel ideas on how to extract information about you, and influence behavior, will never be handled by ad-blockers until it becomes known. And even then, it’s a question of if it’s worth the dev time for the maker of the ad-blocker you happen to be using and if that filter list gets enabled… and how much of the web enabling it breaks.
I run a site which attracts a lot of unsavoury people who need to be banned from our services, and tracking them to reban them when they come back is a big part of what makes our product better than others in the industry. I do not care at all about actually tracking good users, and I am not reselling this data, or anything malicious, it's entire purpose is literally to make the website more enjoyable for the good users.
There are people who actually enjoy using LinkedIn?
Calling the title misleading because they didn't breach the browser sandbox is wrong when this is clearly a scenario most people didn't think was possible. Chrome added extensionId randomization with the change to V3, so it's clearly not an intended scenario.
> vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”)
They chose to put that particular extension in their target list, how is it not sinister? If the list had only extensions to affect LinkedIn page directly (a good chunk seem to be LinkedIn productivity tools) they would have some plausible deniability, but that's not the case. You're just "nothing ever happens"ing this.
If it has the ability to scan your bookmarks, or visited site history, that would lend more credence to using the term "computer".
The title ought to have said "linkedIn illegally scans your browser", and that would make clear what is being done without being sensationalist.
But the language of "your computer" also implies software on your computer including but not limited to Chrome extensions.
Having sensationalist titles should be called out at every opportunity.
How'd that work? If it's in memory, the extensions would vanish everytime I shutdown Chrome? I'll have to reinstall all my extensions again everytime I restart Chrome?
Have you seen any browser that keeps extension in memory? Where they ask the user to reinstall their extensions everytime they start the browser?
Like OP, I don't consider behavior confined to the browser to be my computer. "Scans your browser" is both technically correct and less misleading. "Scans your computer" was chosen instead, to get more clicks.
Your browser is a subset of your computer and lives inside a sandbox. Breaching that sandbox is certainly a much more interesting topic than breaking GDPR by browser fingerprinting.
I think most people would interpret “scanning your computer” as breaking out of the confines the browser and gathering information from the computer itself. If this was happening, the magnitude of the scandal would be hard to overstate.
But this is not happening. What actually is happening is still a problem. But the hyperbole undermines what they’re trying to communicate and this is why I objected to the title.
> They chose to put that particular extension in their target list, how is it not sinister?
Alongside thousands of other extensions. If they were scanning for a dozen things and this was one of them, I’d tend to agree with you. But this sounds more like they enumerated known extension IDs for a large number of extensions because getting all installed extensions isn’t possible.
If we step back for a moment and ask the question: “I’ve been tasked with building a unique fingerprint capability to combat (bots/scrapers/known bad actors, etc), how would I leverage installed extensions as part of that fingerprint?”
What the article describes sounds like what many devs would land on given the browser APIs available.
To reiterate, at no point am I saying this is good or acceptable. I think there’s a massive privacy problem in the tech industry that needs to be addressed.
But the authors have chosen to frame this in language that is hyperbolic and alarmist, and in doing so I thing they’re making people focus on the wrong things and actually obscuring the severity of the problem, which is certainly not limited to LinkedIn.
That is exactly how I interpreted it, and that is why I clicked the link. When I skimmed the article and realized that wasn't the case, I immediately thought "Ugh, clickbait" and came to the HN comments section.
> To reiterate, at no point am I saying this is good or acceptable. I think there’s a massive privacy problem in the tech industry that needs to be addressed.
100% Agree.
So, in summary: what they are doing is awful. Yes, they are collecting a ton of data about you. But, when you post with a headline that makes me think they are scouring my hard drive for data about me... and I realize that's not the case... your credibility suffers.
Also, I think the article would be better served by pointing out that LinkedIn is BY FAR not the only company doing this...
> To reiterate, at no point am I saying this is good or acceptable. I think there’s a massive privacy problem in the tech industry that needs to be addressed.
These two sentences highlight the underlying problem: Developers without an ethical backbone, or who are powerless to push back on unethical projects. What the article describes should not be "what many devs would land on" naturally. What many devs should land on is "scanning the user's browser in order to try to fingerprint him without consent is wrong and we cannot do it."
To put it more extreme: If a developer's boss said "We need to build software for a drone that will autonomously fly around and kill infants," The developer's natural reaction should not be: "OK, interesting problem. First we'll need a source of map data, and vision algorithm that identifies infants...." Yet, our industry is full of this "OK, interesting technology!" attitude.
Unfortunately, for every developer who is willing to draw the line on ethical grounds, there's another developer waiting in the recruiting pipeline more than willing to throw away "doing the right thing" if it lands him a six figure salary.
Fighting against these kinds of directives was a large factor in my own major burnout and ultimately quitting big tech. I was successful for awhile, but it takes a serious toll if you’re an IC constantly fighting against directors and VPs just concerned about solving some perceived business problem regardless of the technical barriers.
Part of the problem is that these projects often address a legitimate issue that has no “good” solution, and that makes pushing back/saying no very difficult if you don’t have enough standing within the company or aren’t willing to put your career on the line.
I’d be willing to bet good money that this LinkedIn thing was framed as an anti-bot/anti-abuse initiative. And those are real issues.
But too many people fail to consider the broader implications of the requested technical implementation.
Yes, but I also think that most people would interpret "Getting a full list of all the Chrome extensions you have installed" as a meaningful escape/violation of the browser's privacy sandbox. The fact that there's no getAllExtensions API is deliberate. The fact that you can work around this with scanning for extension IDs is not something most people know about, and the Chrome developers patched it when it became common. So I don't think describing it as something everybody would expect is totally fine and normal for browsers to allow is correct.
By this logic we could also say that LinkedIn scans your home network.
We should not normalise nor accept this behaviour in the first place.
But I bet they could reliably guess your religious affiliation based on the presence of some specific browser extensions.
God forbid they make an educated guess based on your actual LinkedIn connections, name, interests, etc.
Time to figure out if I can make FireFox pretend to be Chrome, and return random browser extensions every time I visit any website to screw up browser fingerprinting...
Why is this even possible in the first place? It's nobodies business what extensions I have installed.
They also logically don’t need to fingerprint these users because those people are literally logging in to an account with their credentials.
By all appearances they’re just trying to detect people who are using spam automation and scraping extensions, which honestly I’m not too upset about.
If you never install a LinkedIn scraper or post generator extension you wouldn’t hit any of the extensions in the list they check for, last time I looked.
It’s common for malware extensions to disguise themselves as something simple and useful to try to trick a large audience into installing them.
That’s why the list includes things like an “Islamic content filter” and “anti-Zionist tagger” as well as “neurodivergent” tools. They look for trending topics and repackage the scraper with a new name. Most people only install extensions but never remove them if they don’t work.
also, having a PQC enabled extension doesnt seem like a good "large user base capture" tactic.
the source code is as usual obfuscated react but that doesnt mean its malicious...
EDIT: i debuged the extension quickly and it doesnt seem to do anything malicious. it only sends https://pqc-extension.vercel.app/?hostname=[domain] request to this backend to which it has permissions. it doesnt seem to exfiltrate anything else. it might get triggered later but it has very limited permissions anyway so it doesnt seem to be a malicious extension. (but im no expert)
We had a browser extension for our product. A couple times a month someone would clone it, add some data scraping or other malware to it, and re-upload it with the same or similar name.
We set up automated searches to find them. After reporting it could take weeks to get them removed, some times longer. That’s for extensions with clear copyright problems!
The extensions may not be breaking any rules of the extension stores if they’re just scraping a website. Many of the extensions on the list are literally designed to do that as their headline feature.
If you think sending data from a page to a server would disqualify an extension from an extension store then think again. Many of the plugins listed even have semi-plausible reasons for uploading the scraped data, like the “anti-Zionist tagger” extension on the list or the ones that claim to blur things that are anti-Islam. Manufacturing a reason to send data to their servers gives them cover.
but that doesn't really matter. for the sake of the argument assume the extensions are not malicious (as evidenced e.g. by the PQC one with ?16 users?) does that change the situation?
Well great there is no avalable 'getAllFiles()' or such either because they'd be scanning your files for "fingerprinting" as well.
> alarmist framing
Well they literally searching your computer for applications/extensions that you have installed? (and to an extent you can infer what are some of the desktop applications you have based on that too)
Your computer is your private domain. Your house is your private domain. You don't make a "getAllKeysOnPorch()" API, and certainly don't make "getAllBankAccounts()" API. And if you do, you certainly don't make it available to anyone who asks.
It absolutely is sinister.
It's pretty wild that we live in a world where the actual FBI has recommended we use ad blockers to protect ourselves, and if everyone actually listened, much of the Internet (and economy) as we know it would disappear. The FBI is like "you should protect yourself from the way that the third largest company in the world does business", and the average person's response is "nah, that would take at least a couple of minutes of my time, I'll just go ahead and continue to suffer with invasive ads and make sure $GOOG keeps going up".
I thought uBlock Origin was now dead in Chrome?
I remember a few hacks to keep it going but have now migrated to Firefox (or sometimes Edge…) to keep using it.
--disable-features=ExtensionManifestV2UnsupportedBut turning on privacy.resistfingerprinting in about:config (or was it fingerprintingProtection?) would break things randomly (like 3D maps on google for me. maybe it's related to canvas API stuff?) and made it hard to remember why things weren't working.
Not really sure how to strike a balance of broad convenience vs effectiveness these days. Every additional hoop is more attrition.
“uBlock Origin (uBO) is a CPU and memory-efficient wide-spectrum content blocker for Chromium and Firefox. It blocks ads, trackers, coin miners, popups, annoying anti-blockers, malware sites, etc., by default using EasyList, EasyPrivacy, Peter Lowe's Blocklist, Online Malicious URL Blocklist, and uBO filter lists. There are many other lists available to block even more [...]
Ads, "unintrusive" or not, are just the visible portion of the privacy-invading means entering your browser when you visit most sites. uBO's primary goal is to help users neutralize these privacy-invading methods in a way that welcomes those users who do not wish to use more technical means.”
[1] https://github.com/gorhill/uBlock?tab=readme-ov-file#ublock-...
Would it really? It seems to me that most normal users spend most of their time and attention on apps, not in browsers.
If all Android users did this, something would change.
There's also been other adblock apps for a long while, though (adguard comes to mind).
Last time I tried firefox on the iphone it was rubbish compared with safari. Same with some ad blocking app I had back in the day
They need to be protected by the state because they can't think for themselves.
The problem is in most countries and especially America the state is a corrupt cesspool.
Ads are a symptom of the problem that people want human generated content for free; they either do not value the content enough to pay for it, or cannot afford it. Ads do not solve for those problems.
> Sadly you are atypical and the vast majority are freeloaders
Citation needed.
> who even without ads or tracking will try and find another way not to pay
Why is this relevant? People try to get free stuff all over the place and I don't find it makes my life difficult.
I'm not signing up for a subscription for that journal, but paying a small amount for access to that one article is a no brainer. I don't subscribe to a newspaper either, but I'll happily buy one.
The New European did this a decade ago using "agate" (named after the smallest font you'd get in a newspaper), top up with a few quid, then pay for each article.
Sadly didn't catch on. TNE dropped it in 2019[0]. Agate still exists, having been renamed to "axate", but consumers aren't willing to pay with anything other than their time.
[0] https://pressgazette.co.uk/news/new-european-drops-micro-pay...
Not sure on that. It was far, far better before what drives ads today. I've gotten more value from random people's static HTML pages in 1999, than I ever have from something in the last 25 years.
This just led me to think of news sites, and how they've turned mostly into click-bait farms in the last decade to 15.
Gives me pause. Didn't the king of "doing it online" buy a newspaper, but the end result wasn't an improvement on its fate? If there is any way to make cash from news, shouldn't Bezos have been able to do it??
I would pay money for that.
Such content would also suck with flashy ads too.
It's pretty easy tech I think, it's just never hit a flash point. But it could.
Sure we had that in the print times, but we had a lot more "slow" content that you could sit with and contemplate over a day, week or month.
This isn’t Nielsen ratings informing cable networks where to throw up which commercials in certain regions. This is far more dangerous and intense. So the conversation needs to be framed differently than the implied bar of “intrusive/annniying ads.”
Ads won't go away. They'll just move from infesting websites to infesting AI chatbots.
No, I won't. I'll just stop using them. So will almost everyone. I don't think there's a single ad-supported product that would survive by converting to a paid subscription, because they're all so profoundly unnecessary.
We used to have "static" banners on sites, that would just loop through a predefined list on every refresh, same for every user, and it worked. Not for millions of revenue, but enough to pay for that phpbb hosting.
The advertisers started with intrusive tracking, and the sites started with putting 50 ads around a maybe paragraph of usable text. They started with the enshittification, and now they have to deal with the consequences.
Something Awful is a one time fee of ten bucks (a few bucks more to get rid of ads).
I wouldn’t really mind a one-time fee for a lot of sites if it meant that they didn’t have to do a bunch of advertising bullshit,
I think people think ads give way, way more money than they actually do. If you're visiting a website with mostly static ads then you're generating fractions of a cent in revenue for that website. Even on YouTube, you're generating mere cents of revenue across all your watch time for the month.
Why does YouTube premium cost, like, 19 dollars a month then? I don't know, your guess is as good as mine.
Point is, you wouldn't be paying 5.99. You could probably pay a dollar or two across ALL the websites you visit and you'd actually be giving them more money than you do today.
There would need to be a way for ISPs to know which websites are getting my traffic in order to know who to distribute the money to, which I'm not a fan of. But I think something along those lines, with anonymized traffic data, would work a treat.
This is highly debateable. I wouldn't mind paying a bit for the websites I am using as there are just a few platforms and some blogs that I would be happy to pay a small amount for.
My understanding is the rules and laws are to prevent the outcome, by any means, if it's happening.
This could be easily inferred from the depth, breadth, and interconnectedness of data in the website.
By downplaying it, it's allowing it to exist and do the very thing.
The issue here is this stuff is working likely despite ad blockers.
Fingerprinting technology can do a lot more than just what can be learned from ads.
From the site:
"The scan doesn’t just look for LinkedIn-related tools. It identifies whether you use an Islamic content filter (PordaAI — “Blur Haram objects, real-time AI for Islamic values”), whether you’ve installed an anti-Zionist political tagger (Anti-Zionist Tag), or a tool designed for neurodivergent users (simplify). Under GDPR Article 9, processing data that reveals religious beliefs, political opinions, or health conditions requires explicit consent. LinkedIn obtains none." https://browsergate.eu/extensions/
What's been really obnoxious lately is the number of sites I try to do things on that are straight up broken without turning off my ad-blocker.
Speaking has someone who shares the same lack of surprise, perhaps some alarm is warranted. Just because it’s ubiquitous doesn’t mean it’s ok. This feels very much frog in boiling water for me.
Why do you think the alarmist framing is unwarranted?
I would put it more like: it sounds bad, and it's no different from what others do, so they're all that bad.
The fact that they're working around an API limitation doesn't make this better, it just proves that they're up to no good. The whole reason there isn't an API for this is to prevent exactly this sort of enumeration.
It's clear that companies will do as much bad stuff as they can to make money. The fact that you can do this to work around extension enumeration limits should be treated as a security bug in Chrome, and fixed. And, while it doesn't really make a difference, LinkedIn should be considered to be exploiting a security vulnerability with this code.
Why exactly does Chrome even allow this in the first place!? This is the most surprising takeaway for me here, given browser vendors' focus on hardening against fingerprinting.
This seems like a really weird argument to make. The fact that the platform doesn't provide a privacy-violating API is not an extenuating circumstance. LinkedIn needed to work around this limitation, so they knew they're doing something sketchy.
For the record, I don't think they're being evil here, but the explanation is different: they're don't seem to be trying to fingerprint users as much as they're trying to detect specific "evil" extensions that do things LinkedIn doesn't want them to do on linkedin.com. I guess that's their prerogative (and it's the prerogative of browsers to take that away).
The people behind this URL are trying to hold Microsoft accountable. The power to them.
It's important to note that this isn't fixed by ad blockers. To avoid this kind of fingerprinting, you need to disable JavaScript or use a browser like Firefox which randomizes extension UUIDs.
Just run everything in a safe environment that it can't look out of.
Since the extensions are running on the same page as LinkedIn (some of them are explicitly modifying the LinkedIn the website) it's impossible to sandbox them so that linked in can't see evidence of them. And yes this is how a site knows you have an ad blocker is installed.
I’ve come to mostly expect this behavior from most websites that run advertising code
We should be alarmed that websites we go to are fingerprinting us and tracking our behavior. The fact that most websites are doing this doesn't change that.
And not letting you read your messages when on your mobile phone unless you use their app is particularly mean. Considering again where they are sending all the information they scrape.
I really don't think they're "illegally" searching your computer, they're checking for sloppy extensions that let linkedin know they're there because of bad design.
⇒ which Chrome allows sites to do.
Considering the goal is to identify people, this is undeniably PII. As the article demonstrates, it also pertains sensitive information.
Which is weird, because that is undeniably the hard way. Lobby Google to add protections to Chromium.
> 'the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter;'
The problem, of course, is that by clicking on a LinkedIn link, you agree to a non-negotiated contract that can change at any time, and that you have never seen. If that weren't allowed, then this sort of crap would correctly be considered "unauthorized access":
Is that enough blocking, I wonder?
Firefox with a non-default profile can be created like that:
./firefox -CreateProfile "profile-name /home/user/.mozilla/firefox/profile-dir/"
# For linkedin that would be:
./firefox -CreateProfile "linkedin /home/user/.mozilla/firefox/linkedin/"
./firefox -profile "/home/user/.mozilla/firefox/profile-dir/"
# For linkedin that would be:
./firefox -profile "/home/user/.mozilla/firefox/linkedin/"
- create a copy of it, say, /usr/bin/firefox-linkedin
- adjust the relevant line, adding the -profile argument
Of course, "./firefox" from examples above should be replaced with the actual path to executable. For default installation of Firefox the path would be in /usr/bin/firefox script.
So, you can have a separate profiles for something sensitive/invasive (linkedin, shops, etc.) and then you can have a separate profile for everything else.
And each profile can have its own set of extensions.
> Every time any of LinkedIn’s one billion users visits linkedin.com, hidden code searches their computer for installed software
and then proceeds not to explain how it’s doing that to me, a Safari user.
Because, spoiler: it isn’t. Or, it might try to search, and fail, and nothing will be collected.
I hope browsers in the future will need to ask for permission before doing any of that.
OMG is literally every article written with LLMs these days I just can't anymore. It's all so tiring.
I get it... I'm not a good writer. It just sucks that now people are going to assume the stuff I said isn't even me.
I guess I always scored pretty low on the Turing test and never even knew it.
I find myself doing this a lot, and I’m sure even more slips without my notice.
Would you like me to suggest some AI summarizer tools you could use to more efficiently read AI generated content in the meantime?
What matters is the content!
I am not a lawyer, but site stability seems like a GDPR "Legitimate Interest" in my book anyway.
My guess, Linkedin is used for years as source of valuable information for phishing/spear-phishing.
Maybe their motive is really spying. But more important for them is to fight against people botting Linkedin.
Imho, browser fingerprinting should be banned and EU should require browser companies to actively fight against it, not to help them (Fu Google)
There's a reason I continue to use Firefox (with uBlock Origin) and will never switch.
Also, when I got laid off from a previous job, I made a LinkedIn profile to help find a new job. Once I found a new job, I haven't logged into LinkedIn since - that was almost 2 years ago.
Essentially, they are labelling you, like most do, but against some interesting profiles given the kinds of extensions they are scanning for
I know there has been other LinkedIn hate on HN this week. I know they have some good tools for job searching and hiring. I still wish we as a society could move on and leave this one with MySpace.
This reminds me of the slop bug reports plaguing the curl project.
I'm not convinced by their page explaining "Why it's illegal and potentially criminal" [0]. It's written by security researchers and non-attorneys.
For example, this characterization seems overly broad:
> The Court of Justice of the European Union has ruled, in three separate cases, that data which allows someone to infer or deduce protected characteristics is covered by this prohibition, regardless of whether the company intended to collect sensitive data.
> Microsoft has 33,000 employees
this should probably be LinkedIn, not Microsoft.
Different browsers have various settings available, but do we have a little snitch for a web browser?
HOLD EXECS LEGALLY ACCOUNTABLE, CRIMINALLY AND CIVILLY, FOR THE CRIMES OF THER CORPORATIONS.
> Microsoft has 33,000 employees and a $15 billion legal budget
Microsoft has more than 220k employees (it's hard to follow with all the layoffs), and the G&A in which bankrolls legal expenses (but not only - it also contains basically every employee who's not engineering or sales) was only 7B in 2025 - so legal budget is much lower than that.
It seems to not scan for Privacy Badger and uBlock Origin, two extensions I rely on. That's...surprising.
> Every time any of LinkedIn’s one billion users visits linkedin.com, hidden code searches their computer for installed software, collects the results, and transmits them to LinkedIn’s servers
And thought, "no way in hell this gets by Safari."
And then, under "The Attack: How it Works":
> Every time you open LinkedIn in a Chrome-based browser
Shocker. If you use a Chromium-based browser, you should expect to be trading away your privacy, IME.
Sure, this can be solved at the legal layer, but in this case, there seems to be a much simpler and more effective technical solution, so why not pursue that instead?
use safari or Firefox. and chrome only for incognito web app testing.
I set up the cgroups hack so I could route traffic from a dev profile into a VPS vpn, and may not be that useful for everyone.
But I think this is a reminder that you may want to have at least two profiles: one public and the other private. Do you really want Microsoft to know you I stalled the "Otaku Neko StarBlazers Tru-Fen Extendomatic" package to change every picture of a current political figure to an image from the cast of Space Battleship Yamato?
This feels very similar, except now it's taking a swing at Microsoft. It's apparently paid for by some mysterious "trade association and advocacy group for commercial LinkedIn users" that runs out of a private PO box in a small German town - uh huh. I'm not going to shed any tears for Microsoft, but I would love to read some investigative reporting down the line.
free_bip•1h ago
hedora•26m ago