Professional networking website, LinkedIn, is under investigation for allegedly collecting data on users’ browser extensions without their knowledge.
Fairlinked e.V., a European association representing LinkedIn users, conducted an investigation and published its findings in the report “BrowserGate.” The report explains that LinkedIn uses several hidden fingerprinting JavaScripts to track LinkedIn users’ installed browser extensions. The hidden script has collected data from over 6,222 browser extensions across 405 million people.
The “BrowserGate” report states that browser extensions can indicate users’ religious practices, political opinions, and disabilities. As a professional networking site, LinkedIn already knows a lot about its users, including their names and employers, making it easier to reveal trade secrets, like which companies use competing job search or sales tools.
“BrowserGate” reveals that when users open LinkedIn in Chrome, the platform loads a hidden tracking feature from HUMAN Security (formerly PerimeterX). LinkedIn runs a second fingerprinting script, and Google applies another encrypted script. This software isn’t listed in LinkedIn’s privacy terms and conditions.
Article 9 of the EU’S General Data Protection Regulation (GDPR) places a person’s information into two categories. “Ordinary person data” refers to basic information like a person’s name, email address, and browsing history. The second category, “special category data,” refers to race or ethnicity, religious beliefs, political opinions, and trade union membership.
LinkedIn’s hidden tracking violates the European Union (EU) ‘s Digital Markets Act (DMA). DMA allows companies, like LinkedIn, to use third-party tools to access ordinary person data, but prohibits them from gathering special category data.
Article 83(5) of the GDPR imposes the highest penalty for Article 9 violations: either four percent of the company’s total annual revenue or 23,470,000 US dollars (20,000,000 euros), whichever is higher per violation. The report states that $11.27 billion would be four percent of LinkedIn’s $281.72 billion annual revenue.
The “BrowserGate” report supplied a list of all the browser extensions LinkedIn has scanned and stored.
The report suggests users take action in several ways, such as requesting access to their data. LinkedIn users can submit a GDPR Subject Access Request and order the company to disclose which extensions it detected on that person’s browser, when it scanned those extensions, what data they stored, who they shared that information with, and the company’s legal claim for these actions.
People who have used LinkedIn can register as co-plaintiffs in the case. Fairlinked e.V. created a Chrome extension that reveals LinkedIn’s scanning behavior in a person’s browser. Fairlinked e.V. recommends that users upload this evidence to their servers. People can also send a paper letter to the local data protection authority, Microsoft, LinkedIn, the national IT security Authority (CERT), or a government official.
Link to encrypt into the article: https://browsergate.eu/extensions/
