LinkedIn is facing a proposed class action lawsuit in the United States following allegations that it secretly scans users’ browsers for installed extensions and transmits sensitive data without consent.
The case centers on claims that the Microsoft-owned platform deployed hidden tracking code that affected millions of users worldwide.
The complaint, filed on April 7, 2026, in the US District Court for the Northern District of California by the Law Office of J.R. Howell, accuses LinkedIn of running a “covert surveillance system” embedded in its website.
According to a press release shared with CyberInsider, the system allegedly probes users’ devices for thousands of browser extensions on every page load, collects device fingerprinting data, and transmits the results back to LinkedIn’s servers without disclosure or opt-in consent.
The allegations stem from research published by the nonprofit Fairlinked e.V. and the BrowserGate.eu project, which claim to have identified the behavior within LinkedIn’s production JavaScript code. The researchers state that the discovery was made through reverse engineering of a Webpack bundle served to users, revealing functions that attempt to detect installed Chrome extensions using multiple techniques, including direct resource probing and DOM inspection.
According to the findings, the system checks for the presence of more than 6,000 browser extensions by attempting to access internal extension resources via chrome-extension:// URLs and monitoring page modifications associated with extension activity. The results are then bundled into telemetry events and transmitted to LinkedIn endpoints, reportedly encrypted and attached to subsequent API requests during a user’s session.
Fairlinked claims this scanning capability has expanded rapidly, growing from a few hundred tracked extensions in 2024 to over 6,000 by early 2026. The researchers further allege that the data collected could allow LinkedIn to infer sensitive attributes about users, such as political affiliations, religious beliefs, health conditions, and job-seeking activity, based on the types of extensions installed.
LinkedIn, a professional networking platform owned by Microsoft with over one billion members worldwide, plays a central role in hiring, recruiting, and business networking. Because user profiles are tied to real identities, employers, and job titles, any data collected through such scanning could, in theory, be linked directly to identifiable individuals and organizations.
In addition to the US class action, at least one law firm has launched a broader investigation into potential privacy violations, citing possible breaches of federal and state wiretapping laws, the Computer Fraud and Abuse Act, and consumer protection statutes. The complaint seeks statutory damages, injunctive relief, and deletion of any unlawfully collected data.
LinkedIn has strongly denied the allegations. In a public statement shared with the media, the company said the claims are “plain wrong” and attributed them to an individual whose account had been restricted for violating its terms of service. LinkedIn acknowledged that it detects certain browser extensions but stated this is done to identify tools that scrape data or impact platform stability. The company maintains that it does not use such detection to infer sensitive user information.
The company also pointed to prior legal proceedings in Germany, claiming a court found related allegations to be without merit. However, researchers and legal representatives involved in the current case argue that those proceedings did not address the full scope of the browser-scanning claims.
The case is likely to draw scrutiny from regulators in both the US and Europe, particularly given LinkedIn’s designation as a “gatekeeper” under the EU’s Digital Markets Act, which imposes strict obligations on data practices and platform fairness.
Leave a Reply