Discussion
LinkedIn Is Illegally Searching Your Computer
josefritzishere: Why can't we have nice things?
free_bip: They only mention this being a potential violation of the DMA. How about north american countries? US and Canada?
neom: - https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-can...- https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-can...- https://www.priv.gc.ca/en/opc-news/news-and-announcements/20...- https://iclg.com/practice-areas/cybersecurity-laws-and-regul...10 years in jail: https://laws-lois.justice.gc.ca/eng/acts/C-46/section-342.1....
foxes: It seems it scans your extensions not your system - reading the details. The intro made it a bit unclear.
sgt: Seems like it. Which is serious but far from what I thought when I read the title. I suspect 90% of LinkedIn users don't even have a single browser extension installed.
arafeq: the part about scanning for 509 job search extensions is especially nasty. imagine getting flagged to your employer because linkedin detected you had a job board extension installed.
z3ratul163071: why would the browser ever expose extensions api to a web page. does firefox does this as well?
Panda4: > Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions.It's not clear though, either they only tested against chrome-based browsers or Firefox isn't enabling them to do so.
_pdp_: The title is a complete nonsense.
jb1991: So is this comment.
ericyd: I don't like any of this, but I'm not totally clear how this is substantially different from other fingerprinting technologies which I assume are used by every large tech company. Could anyone elaborate? The post isn't very clear why this is different from other data surveillance.
cedilla: If other people collect data like that it's probably also illegal.
haswell: The headline seems pretty misleading. Here’s what seems to actually be going on:> Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions. The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them to LinkedIn’s servers.This does seem invasive. It also seems like what I’d expect to find in modern browser fingerprinting code. I’m not deeply familiar with what APIs are available for detecting extensions, but the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister.I’m certainly not endorsing it, do think it’s pretty problematic, and I’m glad it’s getting some visibility. But I do take some issue with the alarmist framing of what’s going on.I’ve come to mostly expect this behavior from most websites that run advertising code and this is why I run ad blockers.
replwoacause: I disagree, I think we should push back hard on behavior like this. What business is it of LinkedIn's what browser extensions I have installed? I think the framing for this is appropriate.
Joeboy: The most obvious reason for this is browser fingerprinting, right? So your visits to other websites can be linked to your Linkedin identity? Or no?
plagiarist: Unbounded capitalism.
mikkupikku: LinkedIn has been overtly evil for decades, and their power users are the most insufferable sort of middle management yuppy scum. I know job searching can be hard, but I don't go near LinkedIn with a ten foot pole.
anon22981: I really like going to linkedin daily to play minisudoku and a couple of other puzzles, then never engage the feed or other features
jameskilton: Why would you go to LinkedIn to play puzzle games? There's thousands of other places to do so.
hjk2: How a web site can search one's computer?
crest: The title is clickbaity. The website scans the browser for installed extensions.
knollimar: Reminder for windows control alt shift windows L
Ajedi32: Still pretty annoying browsers haven't patched that yet.
acorn221: They have! It's these developers either not knowing or not caring about it which is the issue! I did a blog post about this a while back showing how they do it, and how you can get around it, it's not very complex for the devs.https://www.linkedin.com/pulse/how-linkedin-knows-which-chro...
ceejayoz: The "The Attack: How it works" section explains how it works. It's not an API.I am a little surprised something like CORS doesn't apply to it, though.
RajT88: TFA explains it is looking for installed browser extensions (which sites are allowed to do)
Ajedi32: LinkedIn is a job board so that seems unlikely.
bdangubic: LinkedIn is a job board as much as Facebook is picture-sharing website
mikkupikku: Are you kidding? They've probably been selling a datastream of who in the company has been job searching to company HR departments the whole time. Search for a job on LinkedIn and I bet anybody with a paid corporate account can find that out if they care to.
mentalgear: because corporate greed corrupts every nice thing: it pushes the other (maybe more moral) 'nice thing' alternatives out of the ecosystem by subsiding using VC funding to provide 'NiceThing!' for free until 'NiceThing!' is the monopoly or bought by another entity to become part of the monopoly (due to weak/not enforced antitrust laws).
crest: Because we let them get away with it. Take something they're going to miss and can't replace (e.g. their freedom or their head) and it will stop as long as enforcement is reliable enough that they expect to get caught.These aren't good people, but if you make the fine to the organisation much more expensive than the expected return, lock up the whole board and leave their families without a pot to piss in we will see this become the exception instead of the norm.
acorn221: Yeah I agree
jwsteigerwalt: LinkedIn is far from the only actor doing this. Browser extension fingerprinting is not new. LinkedIn‘s size, scope, network effects make this especially concerning.
glenstein: They also try to profile for things like political beliefs.
VladVladikoff: It is likely in response to scraping. Linked in is heavily scraped by scammers who do the BEC scams. So linked in is trying to find ways to link together banned accounts, to handle their ban evasion.I run a site which attracts a lot of unsavoury people who need to be banned from our services, and tracking them to reban them when they come back is a big part of what makes our product better than others in the industry. I do not care at all about actually tracking good users, and I am not reselling this data, or anything malicious, it's entire purpose is literally to make the website more enjoyable for the good users.
haswell: To broaden my point, I think we’d find that many websites we use are doing this.My point isn’t that this is acceptable or that we shouldn’t push back against it. We should.My point is that this doesn’t sound particularly surprising or unique to LinkedIn, and that the framing of the article seems a bit misleading as a result.
devy: > To broaden my point, I think we’d find that many websites we use are doing this.Your point of "I think we’d find that many websites we use are doing this" doesn't make LinkedIn's behavior ok!By your logic, if our privacy rights are invaded which is illegal in most jurisdiction, and then it become ok because many companies do illegal things??
al_borland: Several years ago I heard the company I worked for say they had a way to get notified if it seemed like an employee might be thinking of leaving, so they could take some kind of action. I now wonder if LinkedIn, or various job sites, were selling them data.
kps: Why is it possible for a web site to determine what browser extensions I have installed? If there are legitimate uses, why isn't this gated behind a permission prompt, like things like location and camera?
haswell: This, to me, seems like the more salient point. A headline like “Major browsers allow websites to see your installed extensions” seems more appropriate here.We’ve known for a long time that advertisers/“security” vendors use as many detectable characteristics as possible to constrict unique fingerprints. This seems like a major enabler of even more invasive fingerprinting and that seems like the bigger issue here.
halapro: There's nothing to patch, scanning is not possible.It's either the extension's choice to become detectable ("externally_connectable" is off by default) or it makes unique changes to websites that allow for its detection.
Ajedi32: If it were just a matter of detecting changes to the DOM then this could only detect extensions that alter the LinkedIn website itself. I agree that would be much harder to make undetectable, but this seems like it goes beyond that.
OoooooooO: Firefox uses UUID for the local extension url per extension so you can't search for hardcoded local urls.
esseph: [delayed]
dylan604: What is a Chrome-based browser? Isn't Chrome Google's Chromium based browser? How many are based on Chrome?
Fokamul: This is result of browser fingerprinting.My guess, Linkedin is used for years as source of valuable information for phishing/spear-phishing.Maybe their motive is really spying. But more important for them is to fight against people botting Linkedin.Imho, browser fingerprinting should be banned and EU should require browser companies to actively fight against it, not to help them (Fu Google)
gburgett: The “how it works” page suggests it only works on chrome based browsers. Anyone able to determine if firefox or safari are affected too?
pamcake: Firefox-based browsers not affected.
arndt: Is there a way to disable the ability for websites to scan for extensions in Chrome?
donatj: If they are genuinely only using the information to detect bad actors and maintain site stability as the affidavit states, and if they can prove it, this seems like potentially a non-issue?I am not a lawyer, but site stability seems like a GDPR "Legitimate Interest" in my book anyway.
devy: LinkedIn has been a weirdest social network for a long time.https://hn.algolia.com/?q=linkedin+weird
VladVladikoff: >The user is never asked. Never told. LinkedIn’s privacy policy does not mention it.OMG is literally every article written with LLMs these days I just can't anymore. It's all so tiring.
Ajedi32: `use_dynamic_url` seems like it should be enabled by default, maybe with a phase-out period for backwards compatibility with older extensions.
mentalgear: Interesting. I didn't know a extension’s web-accessible resource (e.g. chrome-extension://<id>/...) could be abused to learn about the user's installed extensions by checking whether it resolves or not.
davidmurdoch: You would need to use use_dynamic_url: true in the manifest to create a unique one.
acorn221: Yeah, this is the easiest way to get around it
maplethorpe: Doesn't it depend how they're storing the data? If it's sufficiently transformed, it could be considered fair use.
cwillu: Copyright isn't relevant here.
andersonpico: How is probing your browser for installed extensions not "scanning your computer"?Calling the title misleading because they didn't breach the browser sandbox is wrong when this is clearly a scenario most people didn't think was possible. Chrome added extensionId randomization with the change to V3, so it's clearly not an intended scenario.> vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”)They chose to put that particular extension in their target list, how is it not sinister? If the list had only extensions to affect LinkedIn page directly (a good chunk seem to be LinkedIn productivity tools) they would have some plausible deniability, but that's not the case. You're just "nothing ever happens"ing this.
afandian: When "the browser is the OS", scanning that is a pretty big chunk of "your computer".
chii: but the language of "your computer" implies files on your computer, as it would be what people commonly call it. Merely just the extension is not enough.If it has the ability to scan your bookmarks, or visited site history, that would lend more credence to using the term "computer".The title ought to have said "linkedIn illegally scans your browser", and that would make clear what is being done without being sensationalist.
esses: Why does this entire site read like it’s LLM generated?
add-sub-mul-div: Maybe it's not and it's just badly written, but we've come to associate the two so strongly that we can't separate them.
dweinus: Understandable, and yet none of that makes it ok.
giancarlostoro: > It also seems like what I’d expect to find in modern browser fingerprinting code.Time to figure out if I can make FireFox pretend to be Chrome, and return random browser extensions every time I visit any website to screw up browser fingerprinting...
andersonpico: this is a massive violation of trust> The scan doesn’t just look for LinkedIn-related tools. It identifies whether you use an Islamic content filter (PordaAI — “Blur Haram objects, real-time AI for Islamic values”), whether you’ve installed an anti-Zionist political tagger (Anti-Zionist Tag), or a tool designed for neurodivergent users (simplify).
egorfine: > this is a massive violation of trustThis is not. To violate trust, there should have been some.
grub5000: This is incredibly normal language and quite close to how I would write this quote, so what makes you think this is LLM text?
trey-jones: The fact that every job application wants a link to my profile on a platform that tries to push "brain training puzzle and games" on me just makes me angry every single time. I really hate LinkedIn and my active rebellion against it is hurting my ability to find a new job.I know there has been other LinkedIn hate on HN this week. I know they have some good tools for job searching and hiring. I still wish we as a society could move on and leave this one with MySpace.
haswell: Absolutely not. At no point am I saying this is ok.I’m saying that the framing of the article makes this sound like LinkedIn is the Big Bad when the reality is far worse - they’re just one in a sea of entities doing this kind of thing.If anything, the article undersells the scale of the issue.
MagicMoonlight: Who makes browsers? Ad companies.Of course Google is going to back door their browser.
da_grift_shift: This is https://news.ycombinator.com/item?id=46904361, right?
pier25: I alway use LinkedIn and Meta websites in a different browser altogether.I hope browsers in the future will need to ask for permission before doing any of that.
dt3ft: If you use both from the same IP without using a VPN… the profiles are most certainly grouped. There are commercial datasets on IP addresses with almost 100% accuracy with tags like “school”, “house”, “apartment block” etc. Furthermore, if you ever logged into both sites from within the same browser by accident, the link by fingerprinting was made right there and then. The final profile on you may not be 100% accurate, but certainly is in the 98% range.
gwerbin: It's one thing if they have a shadow profile on you (and dozens of companies almost certainly do), but it's another thing if you give them meaningful info about you to enrich that profile with. They can figure out roughly what block you live on, OK fine, but unless you're in a rural area with no neighbors they might not be able to do much better than that.
roblabla: It does two things:1. Do a request to `chrome-extension://<extension_id>/<file>`. It's unclear to me why this is allowed.2. Scan the DOM, look for nodes containing "chrome-extension://" within them (for instance because they link to an internal resource)It's pretty obvious why the second one works, and that "feels alright" - if an extension modifies the DOM, then it's going to leave traces behind that the page might be able to pick up on.The first one is super problematic to me though, as it means that even extensions that don't interact with the page at all can be detected. It's unclear to me whether an extension can protect itself against it.
mrgoldenbrown: TFA goes into a lot of detail explaining why they "allegedly" aren't actually allowed to do so in the EU.
philipwhiuk: Or just not allow them to load the URIs at all
j45: There are rules and laws about fingerprinting too, I thought.
lastofthemojito: > this is why I run ad blockers.It's pretty wild that we live in a world where the actual FBI has recommended we use ad blockers to protect ourselves, and if everyone actually listened, much of the Internet (and economy) as we know it would disappear. The FBI is like "you should protect yourself from the way that the third largest company in the world does business", and the average person's response is "nah, that would take at least a couple of minutes of my time, I'll just go ahead and continue to suffer with invasive ads and make sure $GOOG keeps going up".
j45: I wonder if this is part of the reason why LinkedIn tabs seem to use so much ram, and sometimes run away CPU processes.
pqtyw: Extensions are files installed on your computer, though?
nottorp: Hmm I opened linkedin in Firefox and ublock origin showed it blocked 4 items... then switched away and back and the counter was up to 12.Is that enough blocking, I wonder?
butlike: This is really delightfully quirky
Aurornis: > What business is it of LinkedIn's what browser extensions I have installed?The list of extensions they scan for has been extracted from the code. It was all extensions related to spamming and scraping LinkedIn last time this was posted: Extensions to scrape your LinkedIn session and extract contact info for lead lists, extensions to generate AI message spam.That seems like fair game for their business.
inetknght: > the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”).Your computer is your private domain. Your house is your private domain. You don't make a "getAllKeysOnPorch()" API, and certainly don't make "getAllBankAccounts()" API. And if you do, you certainly don't make it available to anyone who asks.It absolutely is sinister.
jredwards: I've been avoiding Chrome-based browsers for many years now but have only recently become aware of how catastrophically low the Firefox market share is. I'm kind of shocked that more people aren't choosing to avoid Chrome.
Someone: [delayed]
chimeracoder: > Who makes browsers? Ad companies.> Of course Google is going to back door their browser.Aside from the fact that other browsers exist, this makes no sense because Google would stand to gain more by being the only entity that can surveil the user this way, vs. allowing others to collect data on the user without having to go through Google's services (and pay them).
pqtyw: > no available getAllExtensions()Well great there is no avalable 'getAllFiles()' or such either because they'd be scanning your files for "fingerprinting" as well.> alarmist framingWell they literally searching your computer for applications/extensions that you have installed? (and to an extent you can infer what are some of the desktop applications you have based on that too)
ottah: How is that quote in any way demonstrative of this being written by LLM? You do know that LLMs were trained on the internet and every digitized text they could get their hands on? You are jumping at shadows, calm down already.
injidup: In the same way that scanning and identifying your microwave for food you put inside it is not the same as scanning your house and reading the letters in your postbox.Your browser is a subset of your computer and lives inside a sandbox. Breaching that sandbox is certainly a much more interesting topic than breaking GDPR by browser fingerprinting.
blenderob: > but the language of "your computer" implies files on your computer, as it would be what people commonly call it. Merely just the extension is not enough.But the language of "your computer" also implies software on your computer including but not limited to Chrome extensions.
sumanep: Bait, just look at browser addons, millons of site do it as well
badgersnake: Therefore it’s okay, is that your point? Because I don’t think it is.
j45: Ad blockers focus on ads, not fingerprinting.
j45: > "they're checking to see if you're a Muslim"This could be easily inferred from the depth, breadth, and interconnectedness of data in the website.By downplaying it, it's allowing it to exist and do the very thing.The issue here is this stuff is working likely despite ad blockers.Fingerprinting technology can do a lot more than just what can be learned from ads.
coldpie: You really need to work on your reading comprehension, dude.
Aurornis: This has been covered several times including reverse engineering of the code. The list of extensions they check for doesn’t include common extensions like ad blockers. It’s exclusively full of LinkedIn spamming and scraping type of extensions.They also logically don’t need to fingerprint these users because those people are literally logging in to an account with their credentials.By all appearances they’re just trying to detect people who are using spam automation and scraping extensions, which honestly I’m not too upset about.If you never install a LinkedIn scraper or post generator extension you wouldn’t hit any of the extensions in the list they check for, last time I looked.
honzaik: it apparently scans for something like "PQC Checker", an extension for checking if TLS connection is PQC-enabled? how is that a spam extension (and thats just a random one i saw)
Aurornis: Probably compromised extensions or misleading extensions.It’s common for malware extensions to disguise themselves as something simple and useful to try to trick a large audience into installing them.That’s why the list includes things like an “Islamic content filter” and “anti-Zionist tagger” as well as “neurodivergent” tools. They look for trending topics and repackage the scraper with a new name. Most people only install extensions but never remove them if they don’t work.
honzaik: well if they have evidence why they dont report it? why are these extensions on the store? im sure linkedin has enough motion to report it directly to googlealso, having a PQC enabled extension doesnt seem like a good "large user base capture" tactic.the source code is as usual obfuscated react but that doesnt mean its malicious...
jack_ball: I agree that that line reads GPT-like, but it's far from a conclusive tell. One option that I wonder about is if frequent interaction with AI will begin to influence people's organic writing style.
theandrewbailey: What scanning for browser extensions taught me about B2B sales
acheron: This is a Chrome thing. It’s a safe bet that if you use Google products you don’t care about privacy anyway. “Google product collects info about you: news at 11.”
taneq: Google cares deeply about privacy. Google defines privacy as them not giving your private data that they have collected to anyone else unless you ask them to.
hybrid_study: Who cares if it’s LLM written or assisted writing?What matters is the content!
j45: Browsers almost need a firewall against websites for the functions and scans being run on it by websites.Different browsers have various settings available, but do we have a little snitch for a web browser?
al_borland: > I’ve come to mostly expect this behavior from most websites that run advertising code and this is why I run ad blockers.Expecting and accepting this kind of thing is why everyone feels the need to run an ad-blocker.An ad-blocker also isn’t full protection. It’s a cat and mouse game. Novel ideas on how to extract information about you, and influence behavior, will never be handled by ad-blockers until it becomes known. And even then, it’s a question of if it’s worth the dev time for the maker of the ad-blocker you happen to be using and if that filter list gets enabled… and how much of the web enabling it breaks.
armchairhacker: Regulation is also a cat-and-mouse game. Life is a cat-and-mouse game.
beejiu: LLMs didn't invent the "Rule of Three".
taneq: Agreed, but also, permission prompts are way overused and often meaningless to anyone at all, even fellow software engineers. “This program [program.exe] wants to do stuff, yes/no?” How should I know what’s safe to say yes to?I think Android’s ‘permissions’ early on (maybe it’s improved?) and Microsoft’s blanket ‘this program wants to do things’ authorisation pop up have set a standard here that we shouldn’t still be following.
1shooner: >Calling the title misleading because they didn't breach the browser sandbox is wrongBy this logic we could also say that LinkedIn scans your home network.
haswell: > How is probing your browser for installed extensions not "scanning your computer"?I think most people would interpret “scanning your computer” as breaking out of the confines the browser and gathering information from the computer itself. If this was happening, the magnitude of the scandal would be hard to overstate.But this is not happening. What actually is happening is still a problem. But the hyperbole undermines what they’re trying to communicate and this is why I objected to the title.> They chose to put that particular extension in their target list, how is it not sinister?Alongside thousands of other extensions. If they were scanning for a dozen things and this was one of them, I’d tend to agree with you. But this sounds more like they enumerated known extension IDs for a large number of extensions because getting all installed extensions isn’t possible.If we step back for a moment and ask the question: “I’ve been tasked with building a unique fingerprint capability to combat (bots/scrapers/known bad actors, etc), how would I leverage installed extensions as part of that fingerprint?”What the article describes sounds like what many devs would land on given the browser APIs available.To reiterate, at no point am I saying this is good or acceptable. I think there’s a massive privacy problem in the tech industry that needs to be addressed.But the authors have chosen to frame this in language that is hyperbolic and alarmist, and in doing so I thing they’re making people focus on the wrong things and actually obscuring the severity of the problem, which is certainly not limited to LinkedIn.
an0malous: I get it — it can be frustrating to encounter so much low effort AI content these days. But I think it’s worth looking at the bright side here: the increase in our production of entropy from GPU consumption will hasten the heat death of the universe.Would you like me to suggest some AI summarizer tools you could use to more efficiently read AI generated content in the meantime?
chii: it doesn't have to be files. it could be in memory on the browser. Extensions don't imply files for anyone but the most technical of conversations. Certainly not to the laymen.Having sensationalist titles should be called out at every opportunity.
GavinMcG: It’s the fake drama. Punchy sentences. Contrast. And then? A banal payoff.
largbae: For my curiosity what would the fair use be?
maplethorpe: Research.
fallinditch: I asked an LLM to create a plan for a 'digital rebirth' in order to minimize privacy harms. It's a lot of work, but increasingly: a worthwhile endeavor.
emacdona: > I think most people would interpret “scanning your computer” as breaking out of the confines the browser and gathering information from the computer itself.That is exactly how I interpreted it, and that is why I clicked the link. When I skimmed the article and realized that wasn't the case, I immediately thought "Ugh, clickbait" and came to the HN comments section.> To reiterate, at no point am I saying this is good or acceptable. I think there’s a massive privacy problem in the tech industry that needs to be addressed.100% Agree.So, in summary: what they are doing is awful. Yes, they are collecting a ton of data about you. But, when you post with a headline that makes me think they are scouring my hard drive for data about me... and I realize that's not the case... your credibility suffers.Also, I think the article would be better served by pointing out that LinkedIn is BY FAR not the only company doing this...
armadyl: > This is a Chrome thing.This is blatant misinformation. Firefox (and all of its derivatives) also does this.https://bugzilla.mozilla.org/show_bug.cgi?id=1372288
buellerbueller: When Aaron Swartz does it, it is the threat of life in prison leading to suicide. When a multibillion dollar company does it, it is just capitalism.HOLD EXECS LEGALLY ACCOUNTABLE, CRIMINALLY AND CIVILLY, FOR THE CRIMES OF THER CORPORATIONS.
catlifeonmars: [delayed]
unmole: > and if everyone actually listened, much of the Internet (and economy) as we know it would disappear.Would it really? It seems to me that most normal users spend most of their time and attention on apps, not in browsers.
secretsatan: Just use Safari, it won't even load the page half the time.
mewmewblobcat: Depends on what lists you use. If you use uBlock Origin, and enable most of the lists, it'll target both.
Scoundreller: > Every time you open LinkedIn in a Chrome-based browserI thought uBlock Origin was now dead in Chrome?I remember a few hacks to keep it going but have now migrated to Firefox (or sometimes Edge…) to keep using it.
ronjouch: [delayed]
jacquesm: Not mine. And why do we say LinkedIn, it is just Microsoft, just like Github is Microsoft and a whole raft of other companies are just Microsoft in a trenchcoat.
tartoran: And instead LinkedIn is scraping all users computers?
Aurornis: This doesn’t fit the description of scraping by any normal definition. It’s a classic feature probe structure, where the features happen to be scraping extensions.I think it’s kind of funny that HN has gone so reactionary at tech companies that the comments here have become twisted against the anti-spam measures instituted on a website that will never trigger on any of their PCs, because HN users aren’t installing LinkedIn scrape and spam extensions.
arafeq: the difference is intent. regular fingerprinting identifies your browser for ad tracking. linkedin is scanning for 509 specific extensions including job search tools, and they sell recruiter products to your employer. that's not fingerprinting, that's workplace surveillance with extra steps.
jamesgill: https://browsergate.eu/extensions/It seems to not scan for Privacy Badger and uBlock Origin, two extensions I rely on. That's...surprising.
chii: There's an implicit trust that a site doesn't try to racially profile you, as it is illegal. There's no enforcement, but that's why trust is being violated.
hedora: It's probably not illegal for advertisers to racially profile you, but it certainly is illegal in the US to do those things as part of your hiring process:https://www.eeoc.gov/prohibited-employment-policiespracticesLinkedIn's scanning for browser extensions used by protected groups allows them to provide illegal services to US-based recruiters. I have no idea if they actually do it or not, and am not a lawyer, but common sense suggests there's enough here for a class action suit to move into discovery.
nojs: It’s 100% LLM text. HN really needs a button “flag as slop”.
charles_f: It will sound like finessing on details, but details are important in these kind of claims, and this seems incorrect> Microsoft has 33,000 employees and a $15 billion legal budgetMicrosoft has more than 220k employees (it's hard to follow with all the layoffs), and the G&A in which bankrolls legal expenses (but not only - it also contains basically every employee who's not engineering or sales) was only 7B in 2025 - so legal budget is much lower than that.
nickvec: Majority of people use their mobile devices these days to browse the Internet. Installing an ad blocker on your iPhone is a significantly bigger challenge than on desktop.
AmazingTurtle: 6 months ago I already posted about thishttps://news.ycombinator.com/item?id=45349476
EdNutting: If you hadn’t written that post using AI, it might’ve received more attention. Also, (1) if you’d put LinkedIn in the title, rather than the very bottom of the post, and (2) if you’d provided any insight, rather than just speculation, as to what the data might be being used for.
Betelbuddy: The next step for a forensic investigator, is to found out how many of those extensions, are actually from a partner or fully owned subsidiary from LinkedIn... When you see a cockroach...
tpoacher: I get the point you're making, but to be clear, "they’re checking to see if you’re a Muslim" vs "they’re checking to see if your fingerprint matches that of known Muslims in our ever-expanding database" are not too far off.
halapro: As mentioned, there's a way to expose your extension to the web even without making changes. The other way is a key called "web_accessible_resources".All of these are opt-in by the extensions and MV3 actually force you to specify which domains can access your extension. So, again, each extension must explicitly allow the web to find it.
nusl: Why don't we train LLMs on the entire internet every day? Then we don't even need to read anything. Reading is something people did in 2025
tiku: I remember the LinkedIn app that got all your contacts from your phone and tried to add them to your network. I had random people from internet-deals (local craigslist) that where popping up. So strange that this was allowed.
lxgr: All I'm seeing is that Chrome apparently is failing to properly sandbox websites against extension fingerprinting.Sure, this can be solved at the legal layer, but in this case, there seems to be a much simpler and more effective technical solution, so why not pursue that instead?
streetfighter64: Well, the developers of Chrome aren't exactly incentivized to prevent tracking (though perhaps tracking done by their competitors). But anyway, you can try to prevent it with a technical solution while also being outraged that they did it. If someone has their home broken into, perhaps they should have better locks, but the burglar is still responsible for their actions.
surajrmal: Don't worry, soon you'll need to pay every website 5.99 a month because AI is destroying click through rates. The internet will likely be far worse without ads than with ads. Solving the tracking problem doesn't need to be mixed up with blocking ads outright. What's funny is that tracking isn't nearly as meaningful for click through rates on ads as relevance to what's on the page, and yet so much effort is placed onto tracking for the slim improvement it provides.
toomuchtodo: I would rather pay websites for content. I already do this today for more than ten publications and a handful of high value substacks, I'm happy to pay for more. Free does not scale, people need to eat and pay for rent, and ads are ineffective when everyone can block them.Ads are a symptom of the problem that people want human generated content for free.
streetfighter64: Not anymore. You can just find one on the app store and install it, almost exactly the same as you do in a browser's extension "store". It won't be as good as uBlock but it certainly works fine even in Safari.
nickvec: Which do you use? I was unaware that Apple even let such apps on the App Store. I always assumed that their ToS would strictly prohibit it.
pyreko: ublock origin lite is straight up on the app store now, should work with any moderately recent version of iOS/iPadOS. Installed this on my family's Apple devices and it works pretty well.There's also been other adblock apps for a long while, though (adguard comes to mind).
lxgr: > The scan probes for thousands of specific extensions by ID, collects the resultsWhy exactly does Chrome even allow this in the first place!? This is the most surprising takeaway for me here, given browser vendors' focus on hardening against fingerprinting.
financetechbro: uBlock Origin Lite works great for me
justonceokay: Are you defending LinkedIn’s behavior right now or are you just happy to be more technically correct (the best kind of correct!) than those around you? Trying to understand the angle
hedora: The list of queried extensions includes things that would be used by particular religious groups, and people with certain medical conditions.
j45: Go try it with fingerprint.com. Even post-sanitization, pi-hole, you name it, it will be surprising.
streetfighter64: fingerprint.com seems to be some fingerprinting vendor, they don't even offer a demo without logging in. https://coveryourtracks.eff.org is EFFs demo site is non-profit and doesn't require login
hedora: "allowed" by the web browser, but almost certainly not by the end user. The law is pretty clear on this in the US:> 'the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter;'The problem, of course, is that by clicking on a LinkedIn link, you agree to a non-negotiated contract that can change at any time, and that you have never seen. If that weren't allowed, then this sort of crap would correctly be considered "unauthorized access":https://www.law.cornell.edu/uscode/text/18/1030
i_love_retros: Half the population are fucking idiots. Possibly more than half.They need to be protected by the state because they can't think for themselves.The problem is in most countries and especially America the state is a corrupt cesspool.
gwerbin: Almost certainly they are using that for audience segmentation and ad targeting. Clever and disgusting. This isn't the invention of some evil moustache-twirling executive, this was the invention of an employee or group of employees who value money more than morals. We should think of such employees as henchmen.
luxuryballs: if they do a better job at showing me an ad that might be relevant to me, how is that disgusting? if I have to see an ad at all I at least want them to give it their best shot
debesyla: Not in Lithuania. While it's not the No1 or 2,3 platform for job advertisements, it's still very popular, especially for IT and management jobs.So this probably depends on the country.
bdangubic: Sorry, I meant more like vast majority of people daily on LinkedIn are not there cause they are unemployed and looking for work
hnburnsy: Go check out QueryAllPackages permission on Android and see which of your apps can scan and know about all the other apps on your Phone. Thanks Google!
gib444: All apps can do that right
Rychard: Firefox on Android supports it without any issue. That would cover a significant enough segment of the population that it might encourage actual change in the industry if people started moving to that platform.
Xirdus: Firefox on Android has approximately 0.5% market share on mobile, less than Opera. I really doubt it's enough to spark any sort of industry-wide change.
idbnstra: or Vivaldi is chrome based, and it supports full uBlock Origin. If you don't need CHROME chrome, that's even better imo
jonathanstrange: I'd be very happy with an internet without ads. Not that I see any ads anyway.
chromacity: The real story is what's going on behind the scenes. The charges are relatively flimsy (for the reason I mentioned in my other comment). But this site is basically taken from Microsoft's playbook: for years, they pretty transparently bankrolled shadowy, single-issue "grassroots advocacy" groups that went after their competitors under flimsy pretenses. These organizations attacked others but somehow never had an opinion about stuff like Windows Copilot.This feels very similar, except now it's taking a swing at Microsoft. It's apparently paid for by some mysterious "trade association and advocacy group for commercial LinkedIn users" - uh huh. I'm not going to shed any tears for Microsoft, but I would love to read some investigative reporting down the line.
OhMeadhbh: Fwiw... I now run personal and professional browser profiles from two different jails / cgroups. It's a pain I the arse to set up, and I have to verify my config still works after every update, but i get a good feeling knowing my personal chocolate is not mixing in with my professional peanut butter.I set up the cgroups hack so I could route traffic from a dev profile into a VPS vpn, and may not be that useful for everyone.But I think this is a reminder that you may want to have at least two profiles: one public and the other private. Do you really want Microsoft to know you I stalled the "Otaku Neko StarBlazers Tru-Fen Extendomatic" package to change every picture of a current political figure to an image from the cast of Space Battleship Yamato?
mcv: Why is JavaScript running in a page even allowed to know what extensions I have? Is this also what sites use to see I've got an ad blocker?Just run everything in a safe environment that it can't look out of.
big_toast: According to the EFF fingerprinting website, Firefox + uBlock Origin didn't really make my browser particularly unique.But turning on privacy.resistfingerprinting in about:config (or was it fingerprintingProtection?) would break things randomly (like 3D maps on google for me. maybe it's related to canvas API stuff?) and made it hard to remember why things weren't working.Not really sure how to strike a balance of broad convenience vs effectiveness these days. Every additional hoop is more attrition.
cwillu: Well, they're able to do it; “allowed” to do it is an ambiguous enough phrasing that it's practically begging to have an argument whose crux is fundamentally about a differing interpretation.
RajT88: The author suggests a legal remedy instead of a technical one.Which is weird, because that is undeniably the hard way. Lobby Google to add protections to Chromium.
cwillu: Putting bars on the windows is fine, but the bad actors still need to be punished.
jshier: There have been mobile Safari ad blockers for 10 years now, free or paid, and many of them can now be unified with desktop Safari. Many alternative iOS browsers include ad blocking directly, since they can't use the Safari plugins (despite all being powered by WebKit).
iso1631: My pihole does a good enough job with phones. I know google wants to close this (hence pushing things like DoH)Last time I tried firefox on the iphone it was rubbish compared with safari. Same with some ad blocking app I had back in the day
ronjouch: "Ad blockers" nowadays do much more. From the horse’s mouth, which describes itself as a “wide-spectrum content blocker” [1]:“uBlock Origin (uBO) is a CPU and memory-efficient wide-spectrum content blocker for Chromium and Firefox. It blocks ads, trackers, coin miners, popups, annoying anti-blockers, malware sites, etc., by default using EasyList, EasyPrivacy, Peter Lowe's Blocklist, Online Malicious URL Blocklist, and uBO filter lists. There are many other lists available to block even more [...]Ads, "unintrusive" or not, are just the visible portion of the privacy-invading means entering your browser when you visit most sites. uBO's primary goal is to help users neutralize these privacy-invading methods in a way that welcomes those users who do not wish to use more technical means.”[1] https://github.com/gorhill/uBlock?tab=readme-ov-file#ublock-...
newsoftheday: I'd like to install uBlock Origin, when I try, Chrome warns it needs the permission to, "Read and change all your data on all websites". That seems excessive, to give that much power to one extension. I currently use no extensions to keep my security posture high.
jamespo: Sadly you are atypical and the vast majority are freeloaders, who even without ads or tracking will try and find another way not to pay.
toomuchtodo: For sure. I'm aware the best I can do is keep paying (because I value the public goods), and hope to be lucky enough to accumulate enough wealth over my life to help bolt endowments on to the orgs that I value that I would like to stick around. A tale as old as time. "It is what it is."
array_key_first: It would not be 5.99 to access a website because that's not what it costs and that's not what ads yield.I think people think ads give way, way more money than they actually do. If you're visiting a website with mostly static ads then you're generating fractions of a cent in revenue for that website. Even on YouTube, you're generating mere cents of revenue across all your watch time for the month.Why does YouTube premium cost, like, 19 dollars a month then? I don't know, your guess is as good as mine.Point is, you wouldn't be paying 5.99. You could probably pay a dollar or two across ALL the websites you visit and you'd actually be giving them more money than you do today.
Rychard: I'm not saying that Firefox on Android has significant market share; rather that Android has significant market share, and those users could be served by switching to Firefox solely for the purpose of using an adblocker.If all Android users did this, something would change.
OhMeadhbh: I think the damage is there even if you don't see the ads. News outlets and organizations that used to be magazine publishers focus on lowest common denominator stories they know will get the highest engagement. That usually means sexy anger-bait.Sure we had that in the print times, but we had a lot more "slow" content that you could sit with and contemplate over a day, week or month.
zephyrwhimsy: The context window is not just a cost concern — it is an information density problem. With 128K tokens you can fit 6 raw web pages or 32 clean Markdown pages.
tombert: I don’t think it would necessarily have to be six bucks a month.Something Awful is a one time fee of ten bucks (a few bucks more to get rid of ads).I wouldn’t really mind a one-time fee for a lot of sites if it meant that they didn’t have to do a bunch of advertising bullshit,
ajsnigrutin: But those websites would have to provide 5.99 a month of value, and many don't.We used to have "static" banners on sites, that would just loop through a predefined list on every refresh, same for every user, and it worked. Not for millions of revenue, but enough to pay for that phpbb hosting.The advertisers started with intrusive tracking, and the sites started with putting 50 ads around a maybe paragraph of usable text. They started with the enshittification, and now they have to deal with the consequences.
zephyrwhimsy: The proliferation of AI coding assistants is shifting the bottleneck from writing code to reviewing code. The developers who will thrive are those who develop strong code review instincts.
ImPostingOnHN: HackerNews users used to be the type that would do the scraping, so they could Hack the data into whatever format or integration they desired.It's unfortunate to see folks here who don't support that – interoperability is at the heart of the Hacker Ethic. LinkedIn is wrong to even try to block this.
garciansmith: I never get the fear behind extensions, at least not to the level where you wouldn't use an open-source extension that's extremely well vetted. And even if that isn't good enough for you, choosing to browse the web without using a content blocker is a far, far greater security risk.
lejalv: But LinkedIn is the one social network many people literally cannot escape to put food on the table.I don't care about how much spying is going on in ESPN. I can ditch it at the shadow of a suspicion. Not so with LinkedIn.This is very alarming, and pretending it's not because everyone else does it sounds disingenuous to me.
phplovesong: YT made sure adblockers ruin the experience. We really need a good YT alternative, as it has become AI slop (shorts) and most new videos are of real poor quality.
jijijijij: Nice try, but you em-dashed like a filthy human. The drone has been dispatched.
sweetheart: the drone that gives hugs, right??? right????
jijijijij: Let me think about that...Yes. Resistance will put the possibility of hugs on the stool, so to speak.
iso1631: coveryoutracks always tells me I'm uniqueWhich is concerning. Until you realise I do the same thing a few days later and I'm still unique.
pizzuh: i dont like that i pay them $79 a month for them to scrape my extensions
haswell: I do think a degree of alarm is appropriate.But it’s critical to sound the correct alarm.To me, it seems like the authors pulled the fire alarm for a single building when in reality there’s a tornado bearing down.And by doing so, everyone is scrambling about a fire instead of the response a tornado siren would cause.They’re both dangerous and worthy of an immediate reaction, but the confusion and misdirection this causes seems deeply problematic.When people realize the fire wasn’t real, they start to question the validity of the alarm. The tornado is still out there.I realize this analogy is a bit stretched.As someone who has spent quite a lot of time steeped in security/privacy research, the stuff described in the article has been happening pervasively across the industry.People absolutely should be alarmed. Many of us have been alarmed for quite some time. Raising the alarm by saying “LinkedIn is searching your computer” isn’t it.
ksymph: [delayed]
II2II: > Free does not scaleNo disagreement there, except the early web was not about scale. The sites you visited may have been created by someone as a hobby, a university professor outlining their courses or research, a government funded organization opening up their resources to the public, a non-profit organization providing information to the public or other professionals, or companies providing information and support for their products (in the way they rarely do today).> people need to eat, pay for rentThose people were either creating small sites in their spare time, or were paid to work on larger sites by their employer.There were undoubtedly gaps in the non-commercial web. On the other hand, I'm not sure that commercializing the web filled those gaps. If anything, it is so "loud" that the web of today feels smaller and less diverse than the web of the 1990's.
dmoose: Google cares deeply about privacy. Google defines privacy as them not giving your private data that they have collected to anyone who hasn't paid them for it or can compel them to give it up.
seanw444: There's a fourth amendment case on the Supreme Court docket (Chatrie v. U.S.) about Google searching a massive amount of user data to find people in a location at a specific time, at police request. The case is about whether the police's warrant warranted such a wide scope of search (if general warrants are allowed).Point being: Google will 100% give your info to the police, regardless of whether the police have the legal right to it or not, and regardless of whether you actually committed a crime or not.Bonus points: the federal court that ruled on the case said that it likely violated the fourth amendment, but they allowed the police to admit the evidence anyway because of the "good faith" clause, which is a new one for me. Time to add it to the list of horribly abusable exceptions (qualified immunity, civil asset forfeiture, and eminent domain coming to mind).
ImPostingOnHN: They knowingly participated in PRISM, too.
compiler-guy: Something may be bad, but accurately describing why it is bad significantly elevates the discourse.Eg, someone could use the phrase "Won't someone think of the children?" to describe a legitimately bad thing like bank fraud, but the solutions that flow from the problem that "children are in danger" are significantly different from the solutions that flow from "phishing attacks are rampant".The two issues in this case aren't quite as different as child-endangerment and bank fraud. But if the problem was as the original title describes, the solution is quite different (better sandboxing) than what the actual solution is. Which I don't know, but better sandboxing ain't it.
abustamam: This may be a hot take but I'd be willing to pay my ISP $10 extra that they would distribute to sites I visit, if it meant zero tracking and ads. I use an ad blocker but I genuinely want to support content creators in a way that doesn't optimize for ads or clicks.There would need to be a way for ISPs to know which websites are getting my traffic in order to know who to distribute the money to, which I'm not a fan of. But I think something along those lines, with anonymized traffic data, would work a treat.
saghm: > This may be a hot take but I'd be willing to pay my ISP $10 extra that they would distribute to sites I visit, if it meant zero tracking and ads. I use an ad blocker but I genuinely want to support content creators in a way that doesn't optimize for ads or clicks.The problem is that both the ISP and the websites would then go "Cool, we're getting $10 a month from them!" for about a minute before they started trying to come up with ways to start showing you ads anyways. With the level of customer appreciation ISPs tend to show, I'm sure they'd have no problem ignoring your complaints and would happily revoke your service if you stopped paying the now $10-higher price per month.
x0x0: Because what they're scanning for is scrapers. So much linkedin scraping. And I'd bet that the majority of the innocuous-looking extensions are scrapers hidden as other extensions to get users to unknowingly use them.
Forgeties79: The point is it’s easy. It’s near frictionless. Unlike a lot of pie in the sky statements I see here like how “easy” it is to install and run Linux (it isn’t, good luck explaining etcher), Firefox adoption is truly trivial for any smartphone user and presents a stronger baseline than chrome does. People here often get critical of Firefox/Mozilla, and I totally get it, but compared to Google Chrome it doesn’t, well, compare.Firefox runs great 99.99% of the time. It’s easy to add extensions. So we should be pushing people to adopt it.
phendrenad2: [delayed]
cbeach: By "anti-zionist tag" do you mean the banned Chrome extension "Coincidence Detector," which was a tool used by anti-semites to identify and tag Jewish people online using triple parentheses (((name))).I might start scanning for people using that extension and block them from the websites I run.
calgarymicro: No, they mean Anti-Zionist Tag[0], an extension that is live on the Chrome Web Store and identifies anti-Zionists for the benefit of Zionists.[0]https://chromewebstore.google.com/detail/anti-zionist-tag/ek...
ozgrakkurt: There is no substance to this statement.> Sadly you are atypical and the vast majority are freeloadersCitation needed.> who even without ads or tracking will try and find another way not to payWhy is this relevant? People try to get free stuff all over the place and I don't find it makes my life difficult.
II2II: >> Sadly you are atypical and the vast majority are freeloaders> Citation needed.I think we need to agree upon a definition of freeloader before citing sources to support the claim. I've found that many people who use the word have a much more transactional view of the world than I do.
CamperBob2: The ISP shouldn't necessarily be involved in this process, but some form of syndication does need to happen, and it seems crazy that it hasn't.The closest we've come is something like Apple News, which allows me to pay for a selected (by them, not me) subset of features on a selected (by them, not me) subset of news sites. Can't somebody do this right?
nightpool: > I think most people would interpret “scanning your computer” as breaking out of the confines the browser and gathering information from the computer itself.Yes, but I also think that most people would interpret "Getting a full list of all the Chrome extensions you have installed" as a meaningful escape/violation of the browser's privacy sandbox. The fact that there's no getAllExtensions API is deliberate. The fact that you can work around this with scanning for extension IDs is not something most people know about, and the Chrome developers patched it when it became common. So I don't think describing it as something everybody would expect is totally fine and normal for browsers to allow is correct.
haswell: > I also think that most people would interpret "Getting a full list of all the Chrome extensions you have installed" as a meaningful escape/violation of the browser's privacy sandboxI think that’s a far more reasonable framing of the issue.> I don't think describing it as something everybody would expect is totally fine and normal for browsers to allow is correct.I agree that most people would not expect their extensions to be visible. I agree that browsers shouldn’t allow this. I, and most privacy/security focused people I know have been sounding the alarm about Chrome itself as unsafe if you care about privacy for awhile now.This is still a drastically different thing than what the title implies.
