The practice at the center of the controversy is called resource testing. When a user opens LinkedIn in a Chromium-based browser, the platform’s JavaScript checks for the presence of specific browser extensions, currently a list of more than 6,000, aggregates that data, and sends it to LinkedIn’s servers.
Forterra’s Associate Director of Security R&D Tyler Regule examined the process and was direct in his assessment. “Yes, LinkedIn was checking for a lot of extensions, but there was no scanning of your computer and no malicious code, just a simple JavaScript technique to determine whether the extension was there or not,” he told SecurityWeek.
What did Regule find when it tested the extension?
Sampled about 10% of the regularly flagged extensions list and found that the results were good, although not as BrowserGate intended.
Of those they tested: one extension refused to close when they tried to close its tab; Others changed its homepage and added unwanted bookmarks. Rick Astley’s “Never Gonna Give You Up” plays whenever a person opens their browser.
They also noted a statistical limitation on LinkedIn’s actual detection ability: based on their testing, only 2,000 of the more than 6,000 listed extensions could actually be detected.
“To say that a lot of these are the worst extensions is not an exaggeration,” he said, and his working theory is that LinkedIn is checking not to build user profiles, but to protect against data scrapers.
The security ruling may be relatively benign, but the legal picture is murky. Ilya Kolochenko, a lawyer specializing in cybersecurity and data protection, told SecurityWeek that the legality of browser fingerprinting varies significantly by jurisdiction.
Under GDPR and other similar privacy policies, if such information is collected about a user without his permission then it will be considered a crime. Additionally, there are instances in which such behavior may be considered a crime, especially if the data is being used for commercial purposes without notifying the user.
The company explains that the information is used to determine if an extension violates their terms, as well as for defensive purposes against any discrepancies detected within the account.
LinkedIn states that the data is not used to trace personal characteristics of the individual. However, they have not informed the user about the storage process.
In the case of Regule, the lesson learned is exactly the opposite of its sensationalist nature. Rather than seeing this as a scandal involving privacy violations, Regule believes that published IDs could prove helpful to IT managers as well as security experts restricting certain software applications.
The bottom line in his analysis is “I can’t help but look at it as a giant nothing burger.” An enduring issue is not whether LinkedIn engaged in a surveillance program, which seems unlikely, but rather whether anyone has the right to surreptitiously collect such information.
