How is probing your browser for installed extensions not "scanning your computer"?

Calling the title misleading because they didn't breach the browser sandbox is wrong when this is clearly a scenario most people didn't think was possible. Chrome added extensionId randomization with the change to V3, so it's clearly not an intended scenario.

> vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”)

They chose to put that particular extension in their target list, how is it not sinister? If the list had only extensions to affect LinkedIn page directly (a good chunk seem to be LinkedIn productivity tools) they would have some plausible deniability, but that's not the case. You're just "nothing ever happens"ing this.

> I’ve come to mostly expect this behavior from most websites that run advertising code and this is why I run ad blockers.

Expecting and accepting this kind of thing is why everyone feels the need to run an ad-blocker.

An ad-blocker also isn’t full protection. It’s a cat and mouse game. Novel ideas on how to extract information about you, and influence behavior, will never be handled by ad-blockers until it becomes known. And even then, it’s a question of if it’s worth the dev time for the maker of the ad-blocker you happen to be using and if that filter list gets enabled… and how much of the web enabling it breaks.

> this is why I run ad blockers.

It's pretty wild that we live in a world where the actual FBI has recommended we use ad blockers to protect ourselves, and if everyone actually listened, much of the Internet (and economy) as we know it would disappear. The FBI is like "you should protect yourself from the way that the third largest company in the world does business", and the average person's response is "nah, that would take at least a couple of minutes of my time, I'll just go ahead and continue to suffer with invasive ads and make sure $GOOG keeps going up".

I disagree, I think we should push back hard on behavior like this. What business is it of LinkedIn's what browser extensions I have installed? I think the framing for this is appropriate.

This has been covered several times including reverse engineering of the code. The list of extensions they check for doesn’t include common extensions like ad blockers. It’s exclusively full of LinkedIn spamming and scraping type of extensions.

They also logically don’t need to fingerprint these users because those people are literally logging in to an account with their credentials.

By all appearances they’re just trying to detect people who are using spam automation and scraping extensions, which honestly I’m not too upset about.

If you never install a LinkedIn scraper or post generator extension you wouldn’t hit any of the extensions in the list they check for, last time I looked.

It is likely in response to scraping. Linked in is heavily scraped by scammers who do the BEC scams. So linked in is trying to find ways to link together banned accounts, to handle their ban evasion.

I run a site which attracts a lot of unsavoury people who need to be banned from our services, and tracking them to reban them when they come back is a big part of what makes our product better than others in the industry. I do not care at all about actually tracking good users, and I am not reselling this data, or anything malicious, it's entire purpose is literally to make the website more enjoyable for the good users.

> expect to find in modern browser fingerprinting

No. Don't need extensions for that. See how Cloudflare Turnstile does it, recently popped up at https://news.ycombinator.com/item?id=47566865 cause ChatGPT uses it now:

Layer 1: Browser Fingerprint WebGL (8 properties): UNMASKED_VENDOR_WEBGL, UNMASKED_RENDERER_WEBGL, WEBGL_debug_renderer_info, getExtension, getParameter, getContext, canvas, webgl

Screen (8): colorDepth, pixelDepth, width, height, availWidth, availHeight, availLeft, availTop

Hardware (5): hardwareConcurrency, deviceMemory, maxTouchPoints, platform, vendor

Font measurement (4): fontFamily, fontSize, getBoundingClientRect, innerText. Creates a hidden div, sets a font, measures rendered text dimensions, removes the element.

DOM probing (8): createElement, appendChild, removeChild, div, style, position, visibility, ariaHidden

Storage (5): storage, quota, estimate, setItem, usage. Also writes the fingerprint to localStorage under key 6f376b6560133c2c for persistence across page loads.

Scanning for 6000 extensions is anti-competitive, surveillant and immoral.

> I’m not deeply familiar with what APIs are available for detecting extensions, but the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister

This seems like a really weird argument to make. The fact that the platform doesn't provide a privacy-violating API is not an extenuating circumstance. LinkedIn needed to work around this limitation, so they knew they're doing something sketchy.

For the record, I don't think they're being evil here, but the explanation is different: they're don't seem to be trying to fingerprint users as much as they're trying to detect specific "evil" extensions that do things LinkedIn doesn't want them to do on linkedin.com. I guess that's their prerogative (and it's the prerogative of browsers to take that away).

Well, that's precisely what is sinister here.

Those profiling tools don't really care which features are going to be used for predictions. It's just machine learning, and it's indiscriminate. So if you have an extension that correlates with you being Muslim, it will be used for whatever ML predictions they give to other companies, and the worst case will be another "oh we didn't do this intentionally".

Of course, that's not the first time this ever happened in human history, so even if it's not "something inherently sinister", it's just "criminal negligence".

> I’m not deeply familiar with what APIs are available for detecting extension

Here is what the article says:

Method 1

    async function c() {
      const e = [],
        t = r.map(({id: t, file: n}) => {
          return fetch(`chrome-extension://${t}/${n}`)
        });
      (await Promise.allSettled(t)).forEach((t, n) => {
        if ("fulfilled" === t.status && void 0 !== t.value) {
          const t = r[n];
          t && e.push(t.id);
        }
      });
      return e;
    }

    async function(e) {
      const t = [];
      for (const {id: n, file: i} of r) {
        try {
          await fetch(`chrome-extension://${n}/${i}`) && t.push(n);
        } catch(e) {}
        e > 0 && await new Promise(t => setTimeout(t, e));
      }
      return t;
    }

    chrome-extension://${store_id}/${file_name}

It looks like the user has the freedom to manage this by launching chrome with this flag: --disable-extensions

It also seems there is an extension for extension management to deny extension availability by web site: https://superuser.com/questions/1546186/enable-disable-chrom...

Why is JavaScript running in a page even allowed to know what extensions I have? Is this also what sites use to see I've got an ad blocker?

Just run everything in a safe environment that it can't look out of.

For what it's worth - and I'm not saying that LinkedIn is doing this for the right reasons - I can imagine a frontend QA team wanting to do this to understand how prominent certain extensions are for users of various parts of their product, correlating those extensions against frontend bug reports, and using that to guide QA procedures with real-world extension sets.

When you're literally the company that invented Kafka for your clickstreams, "everything looks like a nail."

(More likely, though, this is an anti-scraping initiative, since headless browsers are unlikely to randomize their use of extensions, and they can use this to identify potential scrapers.)

> The scan probes for thousands of specific extensions by ID, collects the results

Why exactly does Chrome even allow this in the first place!? This is the most surprising takeaway for me here, given browser vendors' focus on hardening against fingerprinting.

> the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”).

Your computer is your private domain. Your house is your private domain. You don't make a "getAllKeysOnPorch()" API, and certainly don't make "getAllBankAccounts()" API. And if you do, you certainly don't make it available to anyone who asks.

It absolutely is sinister.

The bigger problem I see here is browser security and Javascript as a whole. Browsers should not be allowed to extract and send such vast amounts of information in the first place, especially without the user's consent. At most, they should return a few broad things such as browser type (major version), language perhaps, and device type (mobile/desktop). That's it. Other things, such as exact resolutions, time zones, and other hardware identifiers make it trivially easy to track users across the Internet. Now that it's too late to revise Web standards, browsers should default to return spoofed values for all the rest.

> I’m certainly not endorsing it, do think it’s pretty problematic, and I’m glad it’s getting some visibility. But I do take some issue with the alarmist framing of what’s going on.

Speaking has someone who shares the same lack of surprise, perhaps some alarm is warranted. Just because it’s ubiquitous doesn’t mean it’s ok. This feels very much frog in boiling water for me.

Why do you think the alarmist framing is unwarranted?

Just because someone lets the electrician (LinkedIn) into their home (browser) doesn't mean they can do whatever the hell they want that isn't expressly prohibited. If the electrician wants to rifle through my desk drawers, they should ask for permission, and I will politely tell them to leave.

I worked for a company that sold b2b contact data and they had (maybe still have) a linkedIn extension. It basically enriched the linkedIn profile. I wonder if linkedIn is trying to block these, or heavily target, in some way, these types of users to push folks towards their sales navigator.

I get the point you're making, but to be clear, "they’re checking to see if you’re a Muslim" vs "they’re checking to see if your fingerprint matches that of known Muslims in our ever-expanding database" are not too far off.

I've been avoiding Chrome-based browsers for many years now but have only recently become aware of how catastrophically low the Firefox market share is. I'm kind of shocked that more people aren't choosing to avoid Chrome.

> It also seems like what I’d expect to find in modern browser fingerprinting code.

Time to figure out if I can make FireFox pretend to be Chrome, and return random browser extensions every time I visit any website to screw up browser fingerprinting...

> It also seems like what I’d expect to find in modern browser fingerprinting code.

Exactly what I think it is. It's all for tracking and ultimately for advertisement. Linkedin can get exactly who you are and then they share that data with ad companies to better target you.

Really gross behavior.

> sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”)

Then why search for PordaAI or Deen Shield? Or more specifically, since getAllExtensions() would return them, why would they be on the "scan list", instead of just ignored?

> I’ve come to mostly expect this behavior from most websites that run advertising code and this is why I run ad blockers.

We should not normalise nor accept this behaviour in the first place.

> But I do take some issue with the alarmist framing of what's going on.

On the contrary, your framing is quite defeatist IMO. The fact that stores get robbed frequently does not mean we should just normalize that and accept it as a fact of life.

Javascript can query chrome extensions [1] and much more [2].

[1] - https://browserleaks.com/chrome

[2] - https://browserleaks.com/javascript

How does this scan happen. AFAIK there is no API for a webpage to scan for extensions. The most a page could do is try to figure out indirectly if an extension exists if that extension leaks info into the page.

> no available getAllExtensions()

Well great there is no avalable 'getAllFiles()' or such either because they'd be scanning your files for "fingerprinting" as well.

> alarmist framing

Well they literally searching your computer for applications/extensions that you have installed? (and to an extent you can infer what are some of the desktop applications you have based on that too)

>this is why I run ad blockers.

It's important to note that this isn't fixed by ad blockers. To avoid this kind of fingerprinting, you need to disable JavaScript or use a browser like Firefox which randomizes extension UUIDs.

> i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”

But I bet they could reliably guess your religious affiliation based on the presence of some specific browser extensions.

The tracking described is extremely invasive. You say you are not endorsing it but you are certainly normalizing it. This is unacceptable.

The people behind this URL are trying to hold Microsoft accountable. The power to them.

The next step for a forensic investigator, is to found out how many of those extensions, are actually from a partner or fully owned subsidiary from LinkedIn... When you see a cockroach...

I agree. The first paragraph on the page implies the javascript can natively search your machine (vs. via Browser Extensions)

I wonder if their motivation for doing this is to detect the LinkedIn automation tools that power all the spam messaging and connection requests?

> this is why I run ad blockers.

What's been really obnoxious lately is the number of sites I try to do things on that are straight up broken without turning off my ad-blocker.

extensions create so many bug reports, I would do the same

> The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them to LinkedIn’s servers.

Why is this even possible in the first place? It's nobodies business what extensions I have installed.

Which browsers in which mode (normal/private) are affected?

>vs. something inherently sinister

This is inherently sinister.

But what would be the benefit of them doing that?

this is obviously not fingerprinting code to anyone with a brain, it's about scraping

Android had a similar feature, but google removed it because it was invasive and being misused to target people.

To flip it around, if one of those chrome extensions saved parts of the contents of the page it was on into a database, and I had the chrome extension navigate around on LinkedIn for me, collecting information, LinkedIn would sue me for CFAA violations because I'm scraping them for email addresses and phone numbers. This is not theoretical either, as LinkedIn has sued people in the past for scraping.

Your expectations do not matter here frankly. This reads like CFAA to me, unauthorized access.

My biggest gripe is why these JS APIs even exist in the first place

> The headline seems pretty misleading.

Yes. I was expecting LinkedIn was connecting to extensions that are using their exhanced privileges to scan your computer, per the "LinkedIn Is Illegally Searching Your Computer" headline.

Instead, LinkedIn is scanning for extensions.

But I do take some issue with the alarmist framing of what’s going on.

I’ve come to mostly expect this behavior from most websites that run advertising code

We should be alarmed that websites we go to are fingerprinting us and tracking our behavior. This is problematic, full stop. The fact that most websites are doing this doesn't change that.

Your post sounds like "it sounds bad, but it's no different from what others do, so it's not that bad."

I would put it more like: it sounds bad, and it's no different from what others do, so they're all that bad.

The fact that they're working around an API limitation doesn't make this better, it just proves that they're up to no good. The whole reason there isn't an API for this is to prevent exactly this sort of enumeration.

It's clear that companies will do as much bad stuff as they can to make money. The fact that you can do this to work around extension enumeration limits should be treated as a security bug in Chrome, and fixed. And, while it doesn't really make a difference, LinkedIn should be considered to be exploiting a security vulnerability with this code.

There is clear rules around what you can and can't do to fingerprint users. if it's being done overtly, covertly, obscurely, indirectly, all for the same result through direct or indirect or correlated metadata it ends up with the same outcome.

My understanding is the rules and laws are to prevent the outcome, by any means, if it's happening.

I wonder if this is part of the reason why LinkedIn tabs seem to use so much ram, and sometimes run away CPU processes.

linked in is scummy but yes I was puzzled by how linked in could scan your comouter from the browser. when i saw they meant extensions I thought aha.

> "they're checking to see if you're a Muslim"

This could be easily inferred from the depth, breadth, and interconnectedness of data in the website.

By downplaying it, it's allowing it to exist and do the very thing.

The issue here is this stuff is working likely despite ad blockers.

Fingerprinting technology can do a lot more than just what can be learned from ads.

From the site:

"The scan doesn’t just look for LinkedIn-related tools. It identifies whether you use an Islamic content filter (PordaAI — “Blur Haram objects, real-time AI for Islamic values”), whether you’ve installed an anti-Zionist political tagger (Anti-Zionist Tag), or a tool designed for neurodivergent users (simplify). Under GDPR Article 9, processing data that reveals religious beliefs, political opinions, or health conditions requires explicit consent. LinkedIn obtains none." https://browsergate.eu/extensions/

> The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them

And probably also vibe-coded therefore 2 tabs of LinkedIn take up 1GB of RAM (was on the front page a few days back).

What's the path for that to even happen?

Are companies now commonly uploading lists of employees to LinkedIn? Is this happening automatically because you got an e-mail account from the company and the company runs on MS Office and you're identified as am employee within it? What triggered it?

This seems like somewhat of a scandal that deserves its own post, but it also needs a lot more details to be trustworthy and for people to understand what exactly is happening.

Also, was there some way for you to take ownership of the profile? Did it depend on verifying a certain e-mail address? Does it require you to get the company to remove it, or could you take ownership and then delete the LinkedIn account/profile yourself?

I’ve seen fake accounts created by bad actors attempting to pose as others for gaining remote employment. It’s possible that is what was happening, and the takedown was from LI taking down the profile from the bad actor.

Other times they would just link to real LinkedIn profiles, but the LinkedIn profile will say that they’re not actively looking and are a victim of id fraud basically.

It’s been a huge issue spotting candidates falsifying information since remote work took off unfortunately. They payout is if they can get at least 1 or 2 paychecks before being found out, they’ve made a good profit.

Of all the reading I've done on this story, your comment so far is the only post which would explain why linkedin is even doing this.

If anyone else as any more info on the why, please share.

> A few years ago, intentionally fingerprinting or tracking your users without disclosure was spyware and unethical. Alas, here we are.

For over 15 years reCAPTCHA has relied on browser fingerprinting to help distinguish humans from bots. And fingerprintjs.com has been around for well more than a couple years.

That said, sniffing the browser extensions someone is using is NOT a common fingerprinting method used by my examples, but just saying fingerprinting itself without explicit disclosure has been around for quite a long time. It happens on literally every CAPTCHA service. I hate it of course, but the ship sailed a long time ago.

--

I like this demo for testing my browser's resilence against fingerprinting: https://fingerprint.com/demo/

It's the typical Microsoft playbook, where they release a product and convince everyone that it has to be used everywhere, and by the time people realize how unbelievably terrible the product is it's too late and it has entrenched itself everywhere.

They've run this experiment before; Windows is terrible and has been for a very long time, Microsoft Office is terrible and has been for a very long time, Sharepoint is terrible and has been for a very long time, LinkedIn is terrible and has been for a very long time, etc.

It's what they do, there is not a single thing that Microsoft does not half-ass, because all they focus on is getting embedded into places, and that does not require that any of their products be good.

Many extensions designed to scrape data from social media websites are disguised as simple extensions that do something else.

If I had to guess: I sought that automatic content blurrer, neurodivergent website simplifier, or anti-Zionist tagger actually work. They’re all just piggybacking on trending topics to get users to install them and then forget about them, then they exfiltrate the data when you visit LinkedIn.

It's for fingerprinting and possibly ad targeting.

It's no different from when you visit an Islamist or anti-Zionist website that has analytics/trackers/ads on it.

It's bad, but this "massive violation of trust" is happening everywhere and has been for decades. There's nothing that's unique to Microsoft here.

> this is a massive violation of trust

This is not. To violate trust, there should have been some.

Almost certainly they are using that for audience segmentation and ad targeting. Clever and disgusting. This isn't the invention of some evil moustache-twirling executive, this was the invention of an employee or group of employees who value money more than morals. We should think of such employees as henchmen.

These extensions sound like straight up malware anyway

  LinkedIn scans for Anti-woke (“The anti-wokeness extension. Shows warnings about woke companies”), Anti-Zionist Tag (“Adds a tag to the LinkedIn profiles of Anti-Zionists”), Vote With Your Money (“showing political contributions from executives and employees”), No more Musk (“Hides digital noise related to Elon Musk,” 19 users), Political Circus (“Politician to Clown AI Filter,” 7 users), LinkedIn Political Content Blocker, and NoPolitiLinked.

If you mean by the website, then - surely not. What basis do you have to trust websites you visit? Especially a social network that owned by Microsoft to boot?

If you mean the _browser_, then I agree in principle, but - it is a browser offered to you by Alphabet. And they are known to mass surveillance and use of personal information for all sorts of purposes, including passing copies to the US intelligence agencies.

But of course, this is what's promoted and suggested to people and installed by default on their phones, so even if it's Google/Alphabet, they should be pressured/coerced into respecting your privacy.

It scans thousands so in thousands, some of them have these weird names

All illegal or unethical means can be explained, but not justified, by their ends.

I'm quite sure having unfettered insight into the browser environments of your users makes enforcing your Terms of Service much easier, but held against the (even minute) risk of exposing one of users' political, religious or sexual preferences, any of which might carry with it massive risk of bodily injury or death in many parts of the globe? I'm sorry but ToS enforcement does not even begin to clear that bar.

If you don't want your users to scrape large parts your website, have you considered just blocking users with outsized traffic usage and not violating their privacy in the process?

Justifying this invasion of privacy as a means of defending LinkedIn against the apparently existential threat posed by something as pedestrian as scraping is especially ridiculous when considering how LinkedIn managed to even get off the ground in the first place: By invading the privacy of its unwitting users by scraping their contacts and impersonating them via email[1].

[1] https://en.wikipedia.org/wiki/LinkedIn#Use_of_e-mail_account...

> To protect the privacy of our members, their data, and to ensure site stability, we do look for extensions that scrape data without members’ consent or otherwise violate LinkedIn’s Terms of Service.

What a nightmare! Are your findings and this list of malicious extensions published somewhere?

And you should be trusted because…

You state a lot, but not once you give even the slightest proof to your claims.

Call me doubtful at best.

I have trouble trusting anything run by Microsoft, and in particular anything run by LinkedIn considering it is the absolute worst site that I have to use.

Microsoft has lied in the past about what information that they do and don't store, why should we believe you now?

Micrôsoft does indeed have a lofty and sturdy moral high ground from which to denounce scrapers and breaches of intellectual property rights and website TOS violations, having never invested in OpenAI.

I... I searched for this extension.

I also have porn specific firefox profile in addition to these two

> I now run personal and professional browser profiles from two different jails / cgroups. It's a pain in the arse to set up, and I have to verify my config still works after every update

You may be interested in Qubes OS. My daily driver. Can't recommend it enough.

that's basically how it already works...

extensions choose on which site they're active and if they provide any available assets (e.g. some extensions modify CSS of the website by injecting their CSS, so that asset is public and then any website where the extension is active can call fetch("chrome-extension://<extension_id>/whatever/file/needed.css" if it knows the extension ID (fixed for each extension) and the file path to such asset... if the fetch result is 404, it can assume the extension is not installed, if the result is 200 it can assume the extension is installed.

This is what LinkedIn is doing... they have their own database of extension IDs and a known working file path, and they are just calling these fetches... they have been doing it for years, I've noticed it a few years back when I was developing a chrome extension which also worked with LinkedIn, but back then it was less than 100 extensions scanned, so I just assumed they want to detect specific extensions which break their site or their terms of use... now it's apparently 6000+ extensions...

Sister comment indicates it isn't as simple as you might think:

https://news.ycombinator.com/item?id=47617972

Is it that easy?

  Chrome extensions can expose internal files to web pages through the web_accessible_resources field in their manifest.json. When an extension is installed and has exposed a resource, a fetch() request to chrome-extension://{id}/{file} will succeed. When the extension is not installed, Chrome blocks the request and the promise rejects.

Well, the developers of Chrome aren't exactly incentivized to prevent tracking (though perhaps tracking done by their competitors). But anyway, you can try to prevent it with a technical solution while also being outraged that they did it. If someone has their home broken into, perhaps they should have better locks, but the burglar is still responsible for their actions.

https://support.mozilla.org/en-US/kb/resist-fingerprinting works.

Chrome is adware.

The "The Attack: How it works" section explains how it works. It's not an API.

I am a little surprised something like CORS doesn't apply to it, though.

> Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions.

It's not clear though, either they only tested against chrome-based browsers or Firefox isn't enabling them to do so.

edit: I answered before I go fully through the article but it does say it's only Chrome based.

> The extension scan runs only in Chrome-based browsers. The isUserAgentChrome() function checks for “Chrome” in the user agent string. The isBrowser() function excludes server-side rendering environments. If either check fails, the scan does not execute.

> This means every user visiting LinkedIn with Chrome, Edge, Brave, Opera, Arc, or any other Chromium-based browser is subject to the scan.

I was under the impression Firefox randomises extension IDs on install, so hopefully not?

The answer to "why would Chrome ever undermine privacy and security?" is always "Google's revenue stream".

I'm happy to see that this doesn't hit firefox. I wonder if safari is impacted.

they seem to be calling `chrome-extension://.....` so i don't think it applies to firefox

Because what they're scanning for is scrapers. So much linkedin scraping. And I'd bet that the majority of the innocuous-looking extensions are scrapers hidden as other extensions to get users to unknowingly use them.

Firefox-based browsers not affected.

> The “how it works” page suggests it only works on chrome based browsers. Anyone able to determine if firefox or safari are affected too?

The code filters out non-chrome browsers: >The extension scan runs only in Chrome-based browsers. The isUserAgentChrome() function checks for “Chrome” in the user agent string. The isBrowser() function excludes server-side rendering environments. If either check fails, the scan does not execute.

What scanning for browser extensions taught me about B2B sales

Also: stop installing random extensions

It's a call for funding. I suspect the answer they want, is click on a donation link; regardless of which browser you're using.

TFA explains it is looking for installed browser extensions (which sites are allowed to do)

it can in the fantasy world of incorrect headlines

While you're at it, you should also find out why a website can scan your internal network...

The title is clickbaity. The website scans the browser for installed extensions.

They also try to profile for things like political beliefs.

no, it's about scraping.

If other people collect data like that it's probably also illegal.

For you personally, to solve this issue in particular? Use Firefox. Google is evil, and there's a good chunk of the Chrome team who are actively enemy combatants.

For the broader issue of not wanting to give even the information you'd need to choose to share to LinkedIn? Network the good ol' fashioned way: talking to random strangers in San Francisco bars.

This is why the EU regulates them (or pretends to) as a public utility. The individual action I took was to donate to Fairlinks‘ legal fund.

I’d suggest having an adblocker first.

Second not having a ton of extensions. Extensions can do fishy things.

This is Chrome’s broken model. Before installing an extension, one should be able to see all the domains an extension talks to.

The domains should be listed in manifest. But that’s not how it works.

In Android, every app you open needs a gazillion default permissions.

You would need to use use_dynamic_url: true in the manifest to create a unique one.

https://www.firefox.com/

Nope, which is why Chrome exists, to allow Google to do this. Which is why you should avoid chromium.

Some of the spiciest:

* Anti-Zionist Tag (directly inferring political opinion)

* PordaAI (Islamic content filter)

* simplify (browsergate.eu specifically called out as a neurodivergent accessibility tool. Job search autofill that markets itself as particularly useful for people who struggle with forms)

* No more Musk ("Hides digital noise related to Elon Musk")

* Political Circus ("Politician -> Clown AI Filter")

* Job application trackers and utils ("Job Follow-Up Tracker" etc)

* Various "Distraction Blocker" type addons

LinkedIn scanning for tools that scrape LinkedIn:

* LinkedIn Cookie Sync for Headhunting Agent

* LinkedIn Cookie importer for Derrick (lol "for Derrick")

* MailMatics Cookie Grabber

* LinkedIn Fake Job Post Detector. Yes, they're detecting an addon that exposes fake job postings on their own platform.

*NOT* in the list, if you were wondering:

* Shinigami Eyes

* Dark Reader

* Adblockers

* Password managers

* FoxyProxy

* User-Agent spoofers, request modification tools, etc

* Most privacy/security tools (no uBO, no Privacy Badger, no FoxyProxy, no NoScript, etc.

For the latter category, the most interesting things there we found *were* searched-for are BuiltWith Technology Profiler, and some browser addons bundled from scanners (e.g. "Malwarebytes Browser Guard Beta").

If you hadn’t written that post using AI, it might’ve received more attention. Also, (1) if you’d put LinkedIn in the title, rather than the very bottom of the post, and (2) if you’d provided any insight, rather than just speculation, as to what the data might be being used for.

Thank you for that post, it describes the invasion of privacy at a deeper level. I must have missed it but YCombinator is filled with people with a vested interest in keeping the clown show going.

I agree.

I'm not convinced by their page explaining "Why it's illegal and potentially criminal" [0]. It's written by security researchers and non-attorneys.

For example, this characterization seems overly broad:

> The Court of Justice of the European Union has ruled, in three separate cases, that data which allows someone to infer or deduce protected characteristics is covered by this prohibition, regardless of whether the company intended to collect sensitive data.

[0] https://browsergate.eu/why-its-illegal/

All apps can do that right

If you use both from the same IP without using a VPN… the profiles are most certainly grouped. There are commercial datasets on IP addresses with almost 100% accuracy with tags like “school”, “house”, “apartment block” etc. Furthermore, if you ever logged into both sites from within the same browser by accident, the link by fingerprinting was made right there and then. The final profile on you may not be 100% accurate, but certainly is in the 98% range.

Since the list of extensions they query targets certain religious groups and medical conditions, it's almost certainly in violation of US federal employment and hiring law.

Lol, you forgot the /s

I really like going to linkedin daily to play minisudoku and a couple of other puzzles, then never engage the feed or other features

You can use Firefox with different profiles and configure it to launch particular profile directly, without launching default profile and using about:profiles.

Firefox with a non-default profile can be created like that:

  ./firefox -CreateProfile "profile-name /home/user/.mozilla/firefox/profile-dir/"
  # For linkedin that would be:
  ./firefox -CreateProfile "linkedin /home/user/.mozilla/firefox/linkedin/"

  ./firefox -profile "/home/user/.mozilla/firefox/profile-dir/"
  # For linkedin that would be:
  ./firefox -profile "/home/user/.mozilla/firefox/linkedin/"

    - create a copy of it, say, /usr/bin/firefox-linkedin
    - adjust the relevant line, adding the -profile argument

Of course, "./firefox" from examples above should be replaced with the actual path to executable. For default installation of Firefox the path would be in /usr/bin/firefox script.

So, you can have a separate profiles for something sensitive/invasive (linkedin, shops, etc.) and then you can have a separate profile for everything else.

And each profile can have its own set of extensions.

This is only a thing for Chrome. You trust Google to protect user privacy towards websites in 2026..?

I'm shocked, shocked to find that a Microsoft product will actively do a bunch of horrible invasive stuff while simultaneously not caring about security of this private data.

We can hypothesize that there may exist some for-profit companies that deserve the benefit of the doubt. Microsoft is not one of them.

LinkedIn is far from the only actor doing this. Browser extension fingerprinting is not new. LinkedIn‘s size, scope, network effects make this especially concerning.

Still pretty annoying browsers haven't patched that yet.

This has been going on for at least 5 years. It pops up on HN every so often.

Seems like it. Which is serious but far from what I thought when I read the title. I suspect 90% of LinkedIn users don't even have a single browser extension installed.

Pretty sure that if they could they would, but browsers sandboxing security prevent this to go unnoticed.

Therefore it’s okay, is that your point? Because I don’t think it is.

I get it — it can be frustrating to encounter so much low effort AI content these days. But I think it’s worth looking at the bright side here: the increase in our production of entropy from GPU consumption will hasten the heat death of the universe.

Would you like me to suggest some AI summarizer tools you could use to more efficiently read AI generated content in the meantime?

This is incredibly normal language and quite close to how I would write this quote, so what makes you think this is LLM text?

Reading (and even more so, using the tools to produce) a bunch of LLM-output writing also affects one’s writing style. Ever sat down and blown through 3-4 books by a favorite author, then written something and found yourself using similar structure, word choice, style…? This could very well be a human author that’s been exposed to a lot of LLM output (ie 95% of this site’s audience).

I find myself doing this a lot, and I’m sure even more slips without my notice.

> It's all so tiring.

What's tiring is a comment like this. If you don't like the article don't read it -- and don't comment.

I agree that that line reads GPT-like, but it's far from a conclusive tell. One option that I wonder about is if frequent interaction with AI will begin to influence people's organic writing style.

Who cares if it’s LLM written or assisted writing?

What matters is the content!

LLMs didn't invent the "Rule of Three".

Nothing in this sentence is evidence of AI.

What's next? "There's punctuation in the sentence, must be AI" ?

How is that quote in any way demonstrative of this being written by LLM? You do know that LLMs were trained on the internet and every digitized text they could get their hands on? You are jumping at shadows, calm down already.

what makes you think that? and what sets your comment appart from beeing created by an llm?

How can you tell?

I don’t like AI slop as much as the next guy, but that part doesn’t seem so bad? Sounds like something anyone could write.

Ehh… this quote alone is pretty benign. If you didn’t mention it, I wouldn’t have even considered the possibility of AI.

That's the intention. Make the internet so unbelievably shit that you just accept and move on.

because corporate greed corrupts every nice thing: it pushes the other (maybe more moral) 'nice thing' alternatives out of the ecosystem by subsiding using VC funding to provide 'NiceThing!' for free until 'NiceThing!' is the monopoly or bought by another entity to become part of the monopoly (due to weak/not enforced antitrust laws).

Because we let them get away with it. Take something they're going to miss and can't replace (e.g. their freedom or their head) and it will stop as long as enforcement is reliable enough that they expect to get caught.

These aren't good people, but if you make the fine to the organisation much more expensive than the expected return, lock up the whole board and leave their families without a pot to piss in we will see this become the exception instead of the norm.

Unbounded capitalism.

So is this comment.

Yeah I agree

Copyright isn't relevant here.

For my curiosity what would the fair use be?

No?