The headline seems pretty misleading. Here’s what seems to actually be going on:
> Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions. The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them to LinkedIn’s servers.
This does seem invasive. It also seems like what I’d expect to find in modern browser fingerprinting code. I’m not deeply familiar with what APIs are available for detecting extensions, but the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”).
I’m certainly not endorsing it, do think it’s pretty problematic, and I’m glad it’s getting some visibility. But I do take some issue with the alarmist framing of what’s going on.
I’ve come to mostly expect this behavior from most websites that run advertising code and this is why I run ad blockers.
How is probing your browser for installed extensions not "scanning your computer"?
Calling the title misleading because they didn't breach the browser sandbox is wrong when this is clearly a scenario most people didn't think was possible. Chrome added extensionId randomization with the change to V3, so it's clearly not an intended scenario.
> vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”)
They chose to put that particular extension in their target list, how is it not sinister? If the list had only extensions to affect LinkedIn page directly (a good chunk seem to be LinkedIn productivity tools) they would have some plausible deniability, but that's not the case. You're just "nothing ever happens"ing this.
How is probing your browser for installed extensions not "scanning your computer"?
I think most people would interpret “scanning your computer” as breaking out of the confines the browser and gathering information from the computer itself. If this was happening, the magnitude of the scandal would be hard to overstate.
But this is not happening. What actually is happening is still a problem. But the hyperbole undermines what they’re trying to communicate and this is why I objected to the title.
> They chose to put that particular extension in their target list, how is it not sinister?
Alongside thousands of other extensions. If they were scanning for a dozen things and this was one of them, I’d tend to agree with you. But this sounds more like they enumerated known extension IDs for a large number of extensions because getting all installed extensions isn’t possible.
If we step back for a moment and ask the question: “I’ve been tasked with building a unique fingerprint capability to combat (bots/scrapers/known bad actors, etc), how would I leverage installed extensions as part of that fingerprint?”
What the article describes sounds like what many devs would land on given the browser APIs available.
To reiterate, at no point am I saying this is good or acceptable. I think there’s a massive privacy problem in the tech industry that needs to be addressed.
But the authors have chosen to frame this in language that is hyperbolic and alarmist, and in doing so I thing they’re making people focus on the wrong things and actually obscuring the severity of the problem, which is certainly not limited to LinkedIn.
> What the article describes sounds like what many devs would land on given the browser APIs available.
> To reiterate, at no point am I saying this is good or acceptable. I think there’s a massive privacy problem in the tech industry that needs to be addressed.
These two sentences highlight the underlying problem: Developers without an ethical backbone, or who are powerless to push back on unethical projects. What the article describes should not be "what many devs would land on" naturally. What many devs should land on is "scanning the user's browser in order to try to fingerprint him without consent is wrong and we cannot do it."
To put it more extreme: If a developer's boss said "We need to build software for a drone that will autonomously fly around and kill infants," The developer's natural reaction should not be: "OK, interesting problem. First we'll need a source of map data, and vision algorithm that identifies infants...." Yet, our industry is full of this "OK, interesting technology!" attitude.
Unfortunately, for every developer who is willing to draw the line on ethical grounds, there's another developer waiting in the recruiting pipeline more than willing to throw away "doing the right thing" if it lands him a six figure salary.
Fighting against these kinds of directives was a large factor in my own major burnout and ultimately quitting big tech. I was successful for awhile, but it takes a serious toll if you’re an IC constantly fighting against directors and VPs just concerned about solving some perceived business problem regardless of the technical barriers.
Part of the problem is that these projects often address a legitimate issue that has no “good” solution, and that makes pushing back/saying no very difficult if you don’t have enough standing within the company or aren’t willing to put your career on the line.
I’d be willing to bet good money that this LinkedIn thing was framed as an anti-bot/anti-abuse initiative. And those are real issues.
But too many people fail to consider the broader implications of the requested technical implementation.
Oh yeah. Must be an anti-fraud/child abuse/money laudering/terrorism/fake news thing. All real problems with no known good solution (to my knowledge, please prove me wrong).
> These two sentences highlight the underlying problem: Developers without an ethical backbone, or who are powerless to push back on unethical projects.
One reason your boss is eager to replace everyone with language models, they won’t have any “ethical backbone” :’)
Many developers overestimate their agency without extremely high labor demand. We got a say because replacing us was painful, not because of our ethics and wisdom. Without that leverage, developers are cogs just like every other part of the machine.
You can't actually push back as an IC. Tech companies aren't structured that way. There's no employment protection of any kind, at least in the US. So the most you can do is protest and resign, or protest and be fired. Either way, it'll cost you your job. I've paid that price and it's steep. There's no viable "grassroots" solution to the problem, it needs to come from regulation. Managers need to serve time in prison, and companies need to be served meaningfully damaging fines. That's the only way anything will get done.
I'm hoping the Ladybird project's new Web browser (alpha release expected in August) will solve some issues resulting from big tech controlling most browers.
> There's no viable "grassroots" solution to the problem, it needs to come from regulation. Managers need to serve time in prison,
No, yes
Yes, giving these people short (or long, mēh) prison sentences is the only thing that will stop this.
No, the obvious grassroots response is to not use LinkedIn or Chrome. (You mean developers not consumers, I think. The developers in the trenches should obey if they need their jobs, they are not to blame. It is the evil swine getting the big money and writing the big cheque's...)
I integrate these kinds of systems in order to prevent criminals from being able to use our ecommerce platform to utilize stolen credit cards.
That involves integrating with tracking providers to best recognize whether a purchase is being made by a bot or not, whether it matches "Normal" signals for that kind of order, and importantly, whether the credit card is being used by the normal tracking identity that uses it.
Even the GDPR gives us enormous leeway to do literally this, but it requires participating in tracking networks that have what amounts to a total knowledge of purchases and browsing you do on the internet. That's the only way they work at all. And they work very well.
Is it Ethical?
It is a huge portion of the reason why ecommerce is possible, and significantly reduces credit card fraud, and in our specific case, drastically limits the ability of a criminal to profit off of stolen credit cards.
Are people better off from my work? If you do not visit our platforms, you are not tracked by us specifically, but the providers we work with are tracking you all over the web, and definitely not just on ecommerce.
One works for money. And money is important. Ethics isn’t going pay mortgage, send kids to university and all that other stuff. I’m not going to do things that are obviously illegal. But if I get a requirement that needs to be met and then the company legal team is responsible for the outcome.
In short, you are not going to solve this problem blaming developer ethics. You need regulation. To get the right regulation we need to get rid of PACs and lobbying.
> These two sentences highlight the underlying problem: Developers without an ethical backbone, or who are powerless to push back on unethical projects. What the article describes should not be "what many devs would land on" naturally. What many devs should land on is "scanning the user's browser in order to try to fingerprint him without consent is wrong and we cannot do it."
I think using LinkedIn is pretty much agreeing to participate in “fingerprinting” (essentially identifying yourself) to that system. There might be a blurry line somewhere around “I was just visiting a page hosted on LinkedIn.com and was not myself browsing anyone else’s personal information”, but otherwise LinkedIn exists as a social network/credit bureau-type system. I’m not sure how we navigate this need to have our privacy while simultaneously needing to establish our priors to others, which requires sharing information about ourselves. The ethics here is not black and white.
> I think most people would interpret “scanning your computer” as breaking out of the confines the browser and gathering information from the computer itself.
Yes, but I also think that most people would interpret "Getting a full list of all the Chrome extensions you have installed" as a meaningful escape/violation of the browser's privacy sandbox. The fact that there's no getAllExtensions API is deliberate. The fact that you can work around this with scanning for extension IDs is not something most people know about, and the Chrome developers patched it when it became common. So I don't think describing it as something everybody would expect is totally fine and normal for browsers to allow is correct.
> I think most people would interpret “scanning your computer” as breaking out of the confines the browser and gathering information from the computer itself.
That is exactly how I interpreted it, and that is why I clicked the link. When I skimmed the article and realized that wasn't the case, I immediately thought "Ugh, clickbait" and came to the HN comments section.
> To reiterate, at no point am I saying this is good or acceptable. I think there’s a massive privacy problem in the tech industry that needs to be addressed.
100% Agree.
So, in summary: what they are doing is awful. Yes, they are collecting a ton of data about you. But, when you post with a headline that makes me think they are scouring my hard drive for data about me... and I realize that's not the case... your credibility suffers.
Also, I think the article would be better served by pointing out that LinkedIn is BY FAR not the only company doing this...
> Alongside thousands of other extensions. If they were scanning for a dozen things and this was one of them, I’d tend to agree with you. But this sounds more like they enumerated known extension IDs for a large number of extensions because getting all installed extensions isn’t possible.
To take a step back further: what you're saying here is that gathering more data makes it less sinister. The gathering not being targeted is not an excuse for gathering the data in the first place.
It's likely that the 'naive developer tasked with fingerprinting' scenario is close to the reality of how this happened. But that doesn't change the fact that sensitive data -- associated with real identities -- is now in the hands of MS and a slew of other companies, likely illegally.
> But the authors have chosen to frame this in language that is hyperbolic and alarmist, and in doing so I thing they’re making people focus on the wrong things and actually obscuring the severity of the problem, which is certainly not limited to LinkedIn.
The article is not hyperbolizing by exploring the ramifications of this; and it's true that this sort of tracking is going on everywhere, but neither is it alarmist to draw attention to a particularly egregious case. What wrong things does it focus on?
> I think most people would interpret “scanning your computer” as breaking out of the confines the browser and gathering information from the computer itself.
Which they would, if they could.
They are scanning users' computers to the maximum extent possible.
> Alongside thousands of other extensions. If they were scanning for a dozen things and this was one of them, I’d tend to agree with you. But this sounds more like they enumerated known extension IDs for a large number of extensions because getting all installed extensions isn’t possible.
If that's all it takes to fool you then its pretty trivial way to hide your true intentions.
> I think most people would interpret “scanning your computer” as breaking out of the confines the browser and gathering information from the computer itself. If this was happening, the magnitude of the scandal would be hard to overstate.
But at the end of the day, the browser is likely where your most sensitive data is.
> making people focus on the wrong things and actually obscuring the severity of the problem, which is certainly not limited to LinkedIn.
No, LinkedIN has much more sensitive data already. Combined with which the voracious fingerprinting, this stands out as a particularly dystopian instance of surveillance capitalism
Scanning your computer is an entirely different thing than scanning browser extensions. By maximizing the expectation via "Illegally searching your computer", the truth suddenly appears harmless.
> I’ve come to mostly expect this behavior from most websites that run advertising code and this is why I run ad blockers.
Expecting and accepting this kind of thing is why everyone feels the need to run an ad-blocker.
An ad-blocker also isn’t full protection. It’s a cat and mouse game. Novel ideas on how to extract information about you, and influence behavior, will never be handled by ad-blockers until it becomes known. And even then, it’s a question of if it’s worth the dev time for the maker of the ad-blocker you happen to be using and if that filter list gets enabled… and how much of the web enabling it breaks.
It's pretty wild that we live in a world where the actual FBI has recommended we use ad blockers to protect ourselves, and if everyone actually listened, much of the Internet (and economy) as we know it would disappear. The FBI is like "you should protect yourself from the way that the third largest company in the world does business", and the average person's response is "nah, that would take at least a couple of minutes of my time, I'll just go ahead and continue to suffer with invasive ads and make sure $GOOG keeps going up".
I disagree, I think we should push back hard on behavior like this. What business is it of LinkedIn's what browser extensions I have installed? I think the framing for this is appropriate.
This has been covered several times including reverse engineering of the code. The list of extensions they check for doesn’t include common extensions like ad blockers. It’s exclusively full of LinkedIn spamming and scraping type of extensions.
They also logically don’t need to fingerprint these users because those people are literally logging in to an account with their credentials.
By all appearances they’re just trying to detect people who are using spam automation and scraping extensions, which honestly I’m not too upset about.
If you never install a LinkedIn scraper or post generator extension you wouldn’t hit any of the extensions in the list they check for, last time I looked.
It is likely in response to scraping. Linked in is heavily scraped by scammers who do the BEC scams. So linked in is trying to find ways to link together banned accounts, to handle their ban evasion.
I run a site which attracts a lot of unsavoury people who need to be banned from our services, and tracking them to reban them when they come back is a big part of what makes our product better than others in the industry. I do not care at all about actually tracking good users, and I am not reselling this data, or anything malicious, it's entire purpose is literally to make the website more enjoyable for the good users.
Font measurement (4): fontFamily, fontSize, getBoundingClientRect, innerText. Creates a hidden div, sets a font, measures rendered text dimensions, removes the element.
Storage (5): storage, quota, estimate, setItem, usage. Also writes the fingerprint to localStorage under key 6f376b6560133c2c for persistence across page loads.
Scanning for 6000 extensions is anti-competitive, surveillant and immoral.
> I’m not deeply familiar with what APIs are available for detecting extensions, but the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister
This seems like a really weird argument to make. The fact that the platform doesn't provide a privacy-violating API is not an extenuating circumstance. LinkedIn needed to work around this limitation, so they knew they're doing something sketchy.
For the record, I don't think they're being evil here, but the explanation is different: they're don't seem to be trying to fingerprint users as much as they're trying to detect specific "evil" extensions that do things LinkedIn doesn't want them to do on linkedin.com. I guess that's their prerogative (and it's the prerogative of browsers to take that away).
Those profiling tools don't really care which features are going to be used for predictions. It's just machine learning, and it's indiscriminate. So if you have an extension that correlates with you being Muslim, it will be used for whatever ML predictions they give to other companies, and the worst case will be another "oh we didn't do this intentionally".
Of course, that's not the first time this ever happened in human history, so even if it's not "something inherently sinister", it's just "criminal negligence".
> The scan probes for thousands of specific extensions by ID, collects the results
Why exactly does Chrome even allow this in the first place!? This is the most surprising takeaway for me here, given browser vendors' focus on hardening against fingerprinting.
For what it's worth - and I'm not saying that LinkedIn is doing this for the right reasons - I can imagine a frontend QA team wanting to do this to understand how prominent certain extensions are for users of various parts of their product, correlating those extensions against frontend bug reports, and using that to guide QA procedures with real-world extension sets.
When you're literally the company that invented Kafka for your clickstreams, "everything looks like a nail."
(More likely, though, this is an anti-scraping initiative, since headless browsers are unlikely to randomize their use of extensions, and they can use this to identify potential scrapers.)
the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”).
Your computer is your private domain. Your house is your private domain. You don't make a "getAllKeysOnPorch()" API, and certainly don't make "getAllBankAccounts()" API. And if you do, you certainly don't make it available to anyone who asks.
> This does seem invasive. It also seems like what I’d expect to find in modern browser fingerprinting code. I’m not deeply familiar with what APIs are available for detecting extensions, but the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”).
Working around deliberate API designs that are designed to make it harder to get a list of all installed extensions is inherently sinister. It's very clearly malicious. We absolutely should not accept that kind of behavior from anyone and definitely not from the corporations large enough that we can't realistically avoid depending upon them.
> I’m certainly not endorsing it, do think it’s pretty problematic, and I’m glad it’s getting some visibility. But I do take some issue with the alarmist framing of what’s going on.
Speaking has someone who shares the same lack of surprise, perhaps some alarm is warranted. Just because it’s ubiquitous doesn’t mean it’s ok. This feels very much frog in boiling water for me.
Why do you think the alarmist framing is unwarranted?
Just because someone lets the electrician (LinkedIn) into their home (browser) doesn't mean they can do whatever the hell they want that isn't expressly prohibited. If the electrician wants to rifle through my desk drawers, they should ask for permission, and I will politely tell them to leave.
I worked for a company that sold b2b contact data and they had (maybe still have) a linkedIn extension. It basically enriched the linkedIn profile. I wonder if linkedIn is trying to block these, or heavily target, in some way, these types of users to push folks towards their sales navigator.
Your post sounds like "it sounds bad, but it's no different from what others do, so it's not that bad."
I would put it more like: it sounds bad, and it's no different from what others do, so they're all that bad.
The fact that they're working around an API limitation doesn't make this better, it just proves that they're up to no good. The whole reason there isn't an API for this is to prevent exactly this sort of enumeration.
It's clear that companies will do as much bad stuff as they can to make money. The fact that you can do this to work around extension enumeration limits should be treated as a security bug in Chrome, and fixed. And, while it doesn't really make a difference, LinkedIn should be considered to be exploiting a security vulnerability with this code.
I get the point you're making, but to be clear, "they’re checking to see if you’re a Muslim" vs "they’re checking to see if your fingerprint matches that of known Muslims in our ever-expanding database" are not too far off.
The bigger problem I see here is browser security and Javascript as a whole. Browsers should not be allowed to extract and send such vast amounts of information in the first place, especially without the user's consent. At most, they should return a few broad things such as browser type (major version), language perhaps, and device type (mobile/desktop). That's it. Other things, such as exact resolutions, time zones, and other hardware identifiers make it trivially easy to track users across the Internet. Now that it's too late to revise Web standards, browsers should default to return spoofed values for all the rest.
I've been avoiding Chrome-based browsers for many years now but have only recently become aware of how catastrophically low the Firefox market share is. I'm kind of shocked that more people aren't choosing to avoid Chrome.
> It also seems like what I’d expect to find in modern browser fingerprinting code.
Time to figure out if I can make FireFox pretend to be Chrome, and return random browser extensions every time I visit any website to screw up browser fingerprinting...
I'm confused, you call this "misleading" then quote the claim, but say it's "what [you'd] expect to find in modern browser fingerprinting code".
So what is it? Misleading, or exactly what you expected to find? It cannot be both.
It sounds more like you object to the negative framing of Microsoft hoovering up as much data as possible for profit, even though this is objectively a crime in the jurisdictions they are being sued in.
To flip it around, if one of those chrome extensions saved parts of the contents of the page it was on into a database, and I had the chrome extension navigate around on LinkedIn for me, collecting information, LinkedIn would sue me for CFAA violations because I'm scraping them for email addresses and phone numbers. This is not theoretical either, as LinkedIn has sued people in the past for scraping.
Well great there is no avalable 'getAllFiles()' or such either because they'd be scanning your files for "fingerprinting" as well.
> alarmist framing
Well they literally searching your computer for applications/extensions that you have installed? (and to an extent you can infer what are some of the desktop applications you have based on that too)
> sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”)
Then why search for PordaAI or Deen Shield? Or more specifically, since getAllExtensions() would return them, why would they be on the "scan list", instead of just ignored?
There is clear rules around what you can and can't do to fingerprint users. if it's being done overtly, covertly, obscurely, indirectly, all for the same result through direct or indirect or correlated metadata it ends up with the same outcome.
My understanding is the rules and laws are to prevent the outcome, by any means, if it's happening.
But I do take some issue with the alarmist framing of what’s going on.
I’ve come to mostly expect this behavior from most websites that run advertising code
We should be alarmed that websites we go to are fingerprinting us and tracking our behavior. This is problematic, full stop. The fact that most websites are doing this doesn't change that.
> It also seems like what I’d expect to find in modern browser fingerprinting code.
Exactly what I think it is. It's all for tracking and ultimately for advertisement. Linkedin can get exactly who you are and then they share that data with ad companies to better target you.
Yes. I was expecting LinkedIn was connecting to extensions that are using their exhanced privileges to scan your computer, per the "LinkedIn Is Illegally Searching Your Computer" headline.
> But I do take some issue with the alarmist framing of what's going on.
On the contrary, your framing is quite defeatist IMO. The fact that stores get robbed frequently does not mean we should just normalize that and accept it as a fact of life.
It's important to note that this isn't fixed by ad blockers. To avoid this kind of fingerprinting, you need to disable JavaScript or use a browser like Firefox which randomizes extension UUIDs.
How does this scan happen. AFAIK there is no API for a webpage to scan for extensions. The most a page could do is try to figure out indirectly if an extension exists if that extension leaks info into the page.
The next step for a forensic investigator, is to found out how many of those extensions, are actually from a partner or fully owned subsidiary from LinkedIn... When you see a cockroach...
I don't have a linkedin acct. So imagine my shock when I "googled" myself and found a linkedin profile connecting my name to a company I presently have a consulting arrangement with (1099 not W2). I went ballistic and fired off an email to the consulting firm to take down the profile immediately or face legal action (a bluff). Couple days later, the company forwarded an email they received from linkedin confirming the profile had been taken down.
So this is just a heads up that even if you don't have a linkedin account, they will create one on your behalf so might better check (assuming you neither have nor want one).
A few years ago, intentionally fingerprinting or tracking your users without disclosure was spyware and unethical. Alas, here we are.
Anyway, what they're calling "spectroscopy", is a combination of extension probing and doing residue detection (looking for what extensions might leave behind in the DOM).
An ad blocker is not necessarily equipped to help since the script is embedded with the application code. Since they're targetting Chrome, switching browsers will help with the probing but not the detection part and you'll still be fingerprinted.
The only way forward is for browser vendors to offer a real privacy or incognito mode where sites are sandboxed by default. When the default profile is identical across millions of users there won't be anything unique to fingerprint.
> The scan doesn’t just look for LinkedIn-related tools. It identifies whether you use an Islamic content filter (PordaAI — “Blur Haram objects, real-time AI for Islamic values”), whether you’ve installed an anti-Zionist political tagger (Anti-Zionist Tag), or a tool designed for neurodivergent users (simplify).
The claims made on the website linked here are plain wrong. The person behind them is subject to an account restriction for scraping and other violations of LinkedIn’s Terms of Service.
To protect the privacy of our members, their data, and to ensure site stability, we do look for extensions that scrape data without members’ consent or otherwise violate LinkedIn’s Terms of Service.
Here’s why: some extensions have static resources (images, javascript) available to inject into our webpages. We can detect the presence of these extensions by checking if that static resource URL exists. This detection is visible inside the Chrome developer console. We use this data to determine which extensions violate our terms, to inform and improve our technical defenses, and to understand why a member account might be fetching an inordinate amount of other members' data, which at scale, impacts site stability. We do not use this data to infer sensitive information about members.
For additional context, in retaliation for this website owner’s account restriction, they attempted to obtain an injunction in Germany, alleging LinkedIn had violated various laws. The court ruled against them and found their claims against LinkedIn had no merit, and in fact, this individual’s own data practices ran afoul of the law.
Unfortunately, this is a case of an individual who lost in the court of law, but is seeking to re-litigate in the court of public opinion without regard for accuracy.
All I'm seeing is that Chrome apparently is failing to properly sandbox websites against extension fingerprinting.
Sure, this can be solved at the legal layer, but in this case, there seems to be a much simpler and more effective technical solution, so why not pursue that instead?
>the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch)
Why should a website be able to scan for extensions at all?
Or if there's a legitimate need (like linkedin.com wants to see if you installed the linkedin extension), leave it up to the extension to decide if it wants to reveal itself. The extension can register a list of URL patterns it will reveal itself to. So the linkedin extension might reveal itself only to *.linkedin.com, a language translation extension might reveal itself to everyone, and an adblocker extension might not choose to reveal itself to anyone.
Fwiw... I now run personal and professional browser profiles from two different jails / cgroups. It's a pain in the arse to set up, and I have to verify my config still works after every update, but I get a good feeling knowing my personal chocolate is not mixing in with my professional peanut butter.
I set up the cgroups hack so I could route traffic from a dev profile into a VPS vpn, and may not be that useful for everyone.
But I think this is a reminder that you may want to have at least two profiles: one public and the other private. Do you really want Microsoft to know you installed the "Otaku Neko StarBlazers Tru-Fen Extendomatic" package to change every picture of a current political figure to an image from the cast of Space Battleship Yamato?
There is no reason to trust any big tech company. Folks should be using containers in their browser if they care about privacy. I previously published a LinkedIn container extension for FireFox: https://addons.mozilla.org/en-US/firefox/addon/linkedin-cont... although as many know you can achieve the same results with Firefox containers without a specific extension like mine if you configure it manually.
I will work on an improvement to that extension so that it can block these scans if they attempt them in firefox.
770 comments
> Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions. The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them to LinkedIn’s servers.
This does seem invasive. It also seems like what I’d expect to find in modern browser fingerprinting code. I’m not deeply familiar with what APIs are available for detecting extensions, but the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”).
I’m certainly not endorsing it, do think it’s pretty problematic, and I’m glad it’s getting some visibility. But I do take some issue with the alarmist framing of what’s going on.
I’ve come to mostly expect this behavior from most websites that run advertising code and this is why I run ad blockers.
Calling the title misleading because they didn't breach the browser sandbox is wrong when this is clearly a scenario most people didn't think was possible. Chrome added extensionId randomization with the change to V3, so it's clearly not an intended scenario.
> vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”)
They chose to put that particular extension in their target list, how is it not sinister? If the list had only extensions to affect LinkedIn page directly (a good chunk seem to be LinkedIn productivity tools) they would have some plausible deniability, but that's not the case. You're just "nothing ever happens"ing this.
>
How is probing your browser for installed extensions not "scanning your computer"?I think most people would interpret “scanning your computer” as breaking out of the confines the browser and gathering information from the computer itself. If this was happening, the magnitude of the scandal would be hard to overstate.
But this is not happening. What actually is happening is still a problem. But the hyperbole undermines what they’re trying to communicate and this is why I objected to the title.
> They chose to put that particular extension in their target list, how is it not sinister?
Alongside thousands of other extensions. If they were scanning for a dozen things and this was one of them, I’d tend to agree with you. But this sounds more like they enumerated known extension IDs for a large number of extensions because getting all installed extensions isn’t possible.
If we step back for a moment and ask the question: “I’ve been tasked with building a unique fingerprint capability to combat (bots/scrapers/known bad actors, etc), how would I leverage installed extensions as part of that fingerprint?”
What the article describes sounds like what many devs would land on given the browser APIs available.
To reiterate, at no point am I saying this is good or acceptable. I think there’s a massive privacy problem in the tech industry that needs to be addressed.
But the authors have chosen to frame this in language that is hyperbolic and alarmist, and in doing so I thing they’re making people focus on the wrong things and actually obscuring the severity of the problem, which is certainly not limited to LinkedIn.
> What the article describes sounds like what many devs would land on given the browser APIs available.
> To reiterate, at no point am I saying this is good or acceptable. I think there’s a massive privacy problem in the tech industry that needs to be addressed.
These two sentences highlight the underlying problem: Developers without an ethical backbone, or who are powerless to push back on unethical projects. What the article describes should not be "what many devs would land on" naturally. What many devs should land on is "scanning the user's browser in order to try to fingerprint him without consent is wrong and we cannot do it."
To put it more extreme: If a developer's boss said "We need to build software for a drone that will autonomously fly around and kill infants," The developer's natural reaction should not be: "OK, interesting problem. First we'll need a source of map data, and vision algorithm that identifies infants...." Yet, our industry is full of this "OK, interesting technology!" attitude.
Unfortunately, for every developer who is willing to draw the line on ethical grounds, there's another developer waiting in the recruiting pipeline more than willing to throw away "doing the right thing" if it lands him a six figure salary.
Fighting against these kinds of directives was a large factor in my own major burnout and ultimately quitting big tech. I was successful for awhile, but it takes a serious toll if you’re an IC constantly fighting against directors and VPs just concerned about solving some perceived business problem regardless of the technical barriers.
Part of the problem is that these projects often address a legitimate issue that has no “good” solution, and that makes pushing back/saying no very difficult if you don’t have enough standing within the company or aren’t willing to put your career on the line.
I’d be willing to bet good money that this LinkedIn thing was framed as an anti-bot/anti-abuse initiative. And those are real issues.
But too many people fail to consider the broader implications of the requested technical implementation.
Edit: typos
> These two sentences highlight the underlying problem: Developers without an ethical backbone, or who are powerless to push back on unethical projects.
One reason your boss is eager to replace everyone with language models, they won’t have any “ethical backbone” :’)
Same with LLMs. This is a race. Competent people are in demand.
> There's no viable "grassroots" solution to the problem
Does something like running the duckduckgo extension not help?
> There's no viable "grassroots" solution to the problem, it needs to come from regulation. Managers need to serve time in prison,
No, yes
Yes, giving these people short (or long, mēh) prison sentences is the only thing that will stop this.
No, the obvious grassroots response is to not use LinkedIn or Chrome. (You mean developers not consumers, I think. The developers in the trenches should obey if they need their jobs, they are not to blame. It is the evil swine getting the big money and writing the big cheque's...)
That involves integrating with tracking providers to best recognize whether a purchase is being made by a bot or not, whether it matches "Normal" signals for that kind of order, and importantly, whether the credit card is being used by the normal tracking identity that uses it.
Even the GDPR gives us enormous leeway to do literally this, but it requires participating in tracking networks that have what amounts to a total knowledge of purchases and browsing you do on the internet. That's the only way they work at all. And they work very well.
Is it Ethical?
It is a huge portion of the reason why ecommerce is possible, and significantly reduces credit card fraud, and in our specific case, drastically limits the ability of a criminal to profit off of stolen credit cards.
Are people better off from my work? If you do not visit our platforms, you are not tracked by us specifically, but the providers we work with are tracking you all over the web, and definitely not just on ecommerce.
Should this be allowed?
In short, you are not going to solve this problem blaming developer ethics. You need regulation. To get the right regulation we need to get rid of PACs and lobbying.
> These two sentences highlight the underlying problem: Developers without an ethical backbone, or who are powerless to push back on unethical projects. What the article describes should not be "what many devs would land on" naturally. What many devs should land on is "scanning the user's browser in order to try to fingerprint him without consent is wrong and we cannot do it."
I think using LinkedIn is pretty much agreeing to participate in “fingerprinting” (essentially identifying yourself) to that system. There might be a blurry line somewhere around “I was just visiting a page hosted on LinkedIn.com and was not myself browsing anyone else’s personal information”, but otherwise LinkedIn exists as a social network/credit bureau-type system. I’m not sure how we navigate this need to have our privacy while simultaneously needing to establish our priors to others, which requires sharing information about ourselves. The ethics here is not black and white.
> I think most people would interpret “scanning your computer” as breaking out of the confines the browser and gathering information from the computer itself.
Yes, but I also think that most people would interpret "Getting a full list of all the Chrome extensions you have installed" as a meaningful escape/violation of the browser's privacy sandbox. The fact that there's no getAllExtensions API is deliberate. The fact that you can work around this with scanning for extension IDs is not something most people know about, and the Chrome developers patched it when it became common. So I don't think describing it as something everybody would expect is totally fine and normal for browsers to allow is correct.
> I think most people would interpret “scanning your computer” as breaking out of the confines the browser and gathering information from the computer itself.
That is exactly how I interpreted it, and that is why I clicked the link. When I skimmed the article and realized that wasn't the case, I immediately thought "Ugh, clickbait" and came to the HN comments section.
> To reiterate, at no point am I saying this is good or acceptable. I think there’s a massive privacy problem in the tech industry that needs to be addressed.
100% Agree.
So, in summary: what they are doing is awful. Yes, they are collecting a ton of data about you. But, when you post with a headline that makes me think they are scouring my hard drive for data about me... and I realize that's not the case... your credibility suffers.
Also, I think the article would be better served by pointing out that LinkedIn is BY FAR not the only company doing this...
> Alongside thousands of other extensions. If they were scanning for a dozen things and this was one of them, I’d tend to agree with you. But this sounds more like they enumerated known extension IDs for a large number of extensions because getting all installed extensions isn’t possible.
To take a step back further: what you're saying here is that gathering more data makes it less sinister. The gathering not being targeted is not an excuse for gathering the data in the first place.
It's likely that the 'naive developer tasked with fingerprinting' scenario is close to the reality of how this happened. But that doesn't change the fact that sensitive data -- associated with real identities -- is now in the hands of MS and a slew of other companies, likely illegally.
> But the authors have chosen to frame this in language that is hyperbolic and alarmist, and in doing so I thing they’re making people focus on the wrong things and actually obscuring the severity of the problem, which is certainly not limited to LinkedIn.
The article is not hyperbolizing by exploring the ramifications of this; and it's true that this sort of tracking is going on everywhere, but neither is it alarmist to draw attention to a particularly egregious case. What wrong things does it focus on?
> I think most people would interpret “scanning your computer” as breaking out of the confines the browser and gathering information from the computer itself.
Which they would, if they could.
They are scanning users' computers to the maximum extent possible.
> Alongside thousands of other extensions. If they were scanning for a dozen things and this was one of them, I’d tend to agree with you. But this sounds more like they enumerated known extension IDs for a large number of extensions because getting all installed extensions isn’t possible.
If that's all it takes to fool you then its pretty trivial way to hide your true intentions.
> I think most people would interpret “scanning your computer” as breaking out of the confines the browser and gathering information from the computer itself. If this was happening, the magnitude of the scandal would be hard to overstate.
But at the end of the day, the browser is likely where your most sensitive data is.
> making people focus on the wrong things and actually obscuring the severity of the problem, which is certainly not limited to LinkedIn.
No, LinkedIN has much more sensitive data already. Combined with which the voracious fingerprinting, this stands out as a particularly dystopian instance of surveillance capitalism
>Calling the title misleading because they didn't breach the browser sandbox is wrong
By this logic we could also say that LinkedIn scans your home network.
> I’ve come to mostly expect this behavior from most websites that run advertising code and this is why I run ad blockers.
Expecting and accepting this kind of thing is why everyone feels the need to run an ad-blocker.
An ad-blocker also isn’t full protection. It’s a cat and mouse game. Novel ideas on how to extract information about you, and influence behavior, will never be handled by ad-blockers until it becomes known. And even then, it’s a question of if it’s worth the dev time for the maker of the ad-blocker you happen to be using and if that filter list gets enabled… and how much of the web enabling it breaks.
> this is why I run ad blockers.
It's pretty wild that we live in a world where the actual FBI has recommended we use ad blockers to protect ourselves, and if everyone actually listened, much of the Internet (and economy) as we know it would disappear. The FBI is like "you should protect yourself from the way that the third largest company in the world does business", and the average person's response is "nah, that would take at least a couple of minutes of my time, I'll just go ahead and continue to suffer with invasive ads and make sure $GOOG keeps going up".
They also logically don’t need to fingerprint these users because those people are literally logging in to an account with their credentials.
By all appearances they’re just trying to detect people who are using spam automation and scraping extensions, which honestly I’m not too upset about.
If you never install a LinkedIn scraper or post generator extension you wouldn’t hit any of the extensions in the list they check for, last time I looked.
I run a site which attracts a lot of unsavoury people who need to be banned from our services, and tracking them to reban them when they come back is a big part of what makes our product better than others in the industry. I do not care at all about actually tracking good users, and I am not reselling this data, or anything malicious, it's entire purpose is literally to make the website more enjoyable for the good users.
> expect to find in modern browser fingerprinting
No. Don't need extensions for that. See how Cloudflare Turnstile does it, recently popped up at https://news.ycombinator.com/item?id=47566865 cause ChatGPT uses it now:
Layer 1: Browser Fingerprint WebGL (8 properties): UNMASKED_VENDOR_WEBGL, UNMASKED_RENDERER_WEBGL, WEBGL_debug_renderer_info, getExtension, getParameter, getContext, canvas, webgl
Screen (8): colorDepth, pixelDepth, width, height, availWidth, availHeight, availLeft, availTop
Hardware (5): hardwareConcurrency, deviceMemory, maxTouchPoints, platform, vendor
Font measurement (4): fontFamily, fontSize, getBoundingClientRect, innerText. Creates a hidden div, sets a font, measures rendered text dimensions, removes the element.
DOM probing (8): createElement, appendChild, removeChild, div, style, position, visibility, ariaHidden
Storage (5): storage, quota, estimate, setItem, usage. Also writes the fingerprint to localStorage under key 6f376b6560133c2c for persistence across page loads.
Scanning for 6000 extensions is anti-competitive, surveillant and immoral.
> I’m not deeply familiar with what APIs are available for detecting extensions, but the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister
This seems like a really weird argument to make. The fact that the platform doesn't provide a privacy-violating API is not an extenuating circumstance. LinkedIn needed to work around this limitation, so they knew they're doing something sketchy.
For the record, I don't think they're being evil here, but the explanation is different: they're don't seem to be trying to fingerprint users as much as they're trying to detect specific "evil" extensions that do things LinkedIn doesn't want them to do on linkedin.com. I guess that's their prerogative (and it's the prerogative of browsers to take that away).
Those profiling tools don't really care which features are going to be used for predictions. It's just machine learning, and it's indiscriminate. So if you have an extension that correlates with you being Muslim, it will be used for whatever ML predictions they give to other companies, and the worst case will be another "oh we didn't do this intentionally".
Of course, that's not the first time this ever happened in human history, so even if it's not "something inherently sinister", it's just "criminal negligence".
Just run everything in a safe environment that it can't look out of.
> I’m not deeply familiar with what APIs are available for detecting extension
Here is what the article says:
Method 1
Method 2 The API is making an HTTP request to There is then a second stage where they walk the DOM looking for text signatures and element attributes indicative of the store_id valuesIt looks like the user has the freedom to manage this by launching chrome with this flag: --disable-extensions
It also seems there is an extension for extension management to deny extension availability by web site: https://superuser.com/questions/1546186/enable-disable-chrom...
> The scan probes for thousands of specific extensions by ID, collects the results
Why exactly does Chrome even allow this in the first place!? This is the most surprising takeaway for me here, given browser vendors' focus on hardening against fingerprinting.
When you're literally the company that invented Kafka for your clickstreams, "everything looks like a nail."
(More likely, though, this is an anti-scraping initiative, since headless browsers are unlikely to randomize their use of extensions, and they can use this to identify potential scrapers.)
>
the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”).Your computer is your private domain. Your house is your private domain. You don't make a "getAllKeysOnPorch()" API, and certainly don't make "getAllBankAccounts()" API. And if you do, you certainly don't make it available to anyone who asks.
It absolutely is sinister.
> This does seem invasive. It also seems like what I’d expect to find in modern browser fingerprinting code. I’m not deeply familiar with what APIs are available for detecting extensions, but the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”).
Working around deliberate API designs that are designed to make it harder to get a list of all installed extensions is inherently sinister. It's very clearly malicious. We absolutely should not accept that kind of behavior from anyone and definitely not from the corporations large enough that we can't realistically avoid depending upon them.
> I’m certainly not endorsing it, do think it’s pretty problematic, and I’m glad it’s getting some visibility. But I do take some issue with the alarmist framing of what’s going on.
Speaking has someone who shares the same lack of surprise, perhaps some alarm is warranted. Just because it’s ubiquitous doesn’t mean it’s ok. This feels very much frog in boiling water for me.
Why do you think the alarmist framing is unwarranted?
I would put it more like: it sounds bad, and it's no different from what others do, so they're all that bad.
The fact that they're working around an API limitation doesn't make this better, it just proves that they're up to no good. The whole reason there isn't an API for this is to prevent exactly this sort of enumeration.
It's clear that companies will do as much bad stuff as they can to make money. The fact that you can do this to work around extension enumeration limits should be treated as a security bug in Chrome, and fixed. And, while it doesn't really make a difference, LinkedIn should be considered to be exploiting a security vulnerability with this code.
> It also seems like what I’d expect to find in modern browser fingerprinting code.
Time to figure out if I can make FireFox pretend to be Chrome, and return random browser extensions every time I visit any website to screw up browser fingerprinting...
The people behind this URL are trying to hold Microsoft accountable. The power to them.
> I’ve come to mostly expect this behavior from most websites that run advertising code and this is why I run ad blockers.
We should not normalise nor accept this behaviour in the first place.
So what is it? Misleading, or exactly what you expected to find? It cannot be both.
It sounds more like you object to the negative framing of Microsoft hoovering up as much data as possible for profit, even though this is objectively a crime in the jurisdictions they are being sued in.
> no available getAllExtensions()
Well great there is no avalable 'getAllFiles()' or such either because they'd be scanning your files for "fingerprinting" as well.
> alarmist framing
Well they literally searching your computer for applications/extensions that you have installed? (and to an extent you can infer what are some of the desktop applications you have based on that too)
> sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”)
Then why search for PordaAI or Deen Shield? Or more specifically, since getAllExtensions() would return them, why would they be on the "scan list", instead of just ignored?
My understanding is the rules and laws are to prevent the outcome, by any means, if it's happening.
I’ve come to mostly expect this behavior from most websites that run advertising code
We should be alarmed that websites we go to are fingerprinting us and tracking our behavior. This is problematic, full stop. The fact that most websites are doing this doesn't change that.
[1] - https://browserleaks.com/chrome
[2] - https://browserleaks.com/javascript
> It also seems like what I’d expect to find in modern browser fingerprinting code.
Exactly what I think it is. It's all for tracking and ultimately for advertisement. Linkedin can get exactly who you are and then they share that data with ad companies to better target you.
Really gross behavior.
> The headline seems pretty misleading.
Yes. I was expecting LinkedIn was connecting to extensions that are using their exhanced privileges to scan your computer, per the "LinkedIn Is Illegally Searching Your Computer" headline.
Instead, LinkedIn is scanning for extensions.
> i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”
But I bet they could reliably guess your religious affiliation based on the presence of some specific browser extensions.
> But I do take some issue with the alarmist framing of what's going on.
On the contrary, your framing is quite defeatist IMO. The fact that stores get robbed frequently does not mean we should just normalize that and accept it as a fact of life.
It's important to note that this isn't fixed by ad blockers. To avoid this kind of fingerprinting, you need to disable JavaScript or use a browser like Firefox which randomizes extension UUIDs.
So this is just a heads up that even if you don't have a linkedin account, they will create one on your behalf so might better check (assuming you neither have nor want one).
Anyway, what they're calling "spectroscopy", is a combination of extension probing and doing residue detection (looking for what extensions might leave behind in the DOM).
An ad blocker is not necessarily equipped to help since the script is embedded with the application code. Since they're targetting Chrome, switching browsers will help with the probing but not the detection part and you'll still be fingerprinted.
The only way forward is for browser vendors to offer a real privacy or incognito mode where sites are sandboxed by default. When the default profile is identical across millions of users there won't be anything unique to fingerprint.
> The scan doesn’t just look for LinkedIn-related tools. It identifies whether you use an Islamic content filter (PordaAI — “Blur Haram objects, real-time AI for Islamic values”), whether you’ve installed an anti-Zionist political tagger (Anti-Zionist Tag), or a tool designed for neurodivergent users (simplify).
To protect the privacy of our members, their data, and to ensure site stability, we do look for extensions that scrape data without members’ consent or otherwise violate LinkedIn’s Terms of Service.
Here’s why: some extensions have static resources (images, javascript) available to inject into our webpages. We can detect the presence of these extensions by checking if that static resource URL exists. This detection is visible inside the Chrome developer console. We use this data to determine which extensions violate our terms, to inform and improve our technical defenses, and to understand why a member account might be fetching an inordinate amount of other members' data, which at scale, impacts site stability. We do not use this data to infer sensitive information about members.
For additional context, in retaliation for this website owner’s account restriction, they attempted to obtain an injunction in Germany, alleging LinkedIn had violated various laws. The court ruled against them and found their claims against LinkedIn had no merit, and in fact, this individual’s own data practices ran afoul of the law.
Unfortunately, this is a case of an individual who lost in the court of law, but is seeking to re-litigate in the court of public opinion without regard for accuracy.
Sure, this can be solved at the legal layer, but in this case, there seems to be a much simpler and more effective technical solution, so why not pursue that instead?
>the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch)
Why should a website be able to scan for extensions at all?
Or if there's a legitimate need (like linkedin.com wants to see if you installed the linkedin extension), leave it up to the extension to decide if it wants to reveal itself. The extension can register a list of URL patterns it will reveal itself to. So the linkedin extension might reveal itself only to *.linkedin.com, a language translation extension might reveal itself to everyone, and an adblocker extension might not choose to reveal itself to anyone.
I set up the cgroups hack so I could route traffic from a dev profile into a VPS vpn, and may not be that useful for everyone.
But I think this is a reminder that you may want to have at least two profiles: one public and the other private. Do you really want Microsoft to know you installed the "Otaku Neko StarBlazers Tru-Fen Extendomatic" package to change every picture of a current political figure to an image from the cast of Space Battleship Yamato?
I will work on an improvement to that extension so that it can block these scans if they attempt them in firefox.