Two class-action lawsuits have been initiated against LinkedIn, accusing the platform of secretly monitoring users through browser extension scanning. The company, however, has strongly rejected the claims, stating that its practices are transparent and already outlined in its privacy policy.
"This is a house of cards built entirely upon a fabrication. We do disclose that we scan for browser extensions in our Privacy Policy, in order to detect abuse and provide defense for site stability," LinkedIn tells PCMag.
The lawsuits were filed on Monday in a U.S. District Court in California, following a report by German organization Fairlinked e.V.. The report alleges that LinkedIn uses a JavaScript file on its website to scan users’ Chrome browser extensions, checking for as many as 6,222 extensions. It further claims that this data could potentially be used to profile users or identify whether they are using competing tools.
LinkedIn disputes these allegations, explaining that the scanning is designed to combat web scraping activities. “We do not use this data to infer sensitive information about members,” the company tells PCMag. Its privacy policy also mentions that it may collect device and network-related data, including details about browsers and add-ons.
According to LinkedIn, the scanning mechanism serves as a protective measure to prevent unauthorized scraping of member profiles. Despite this explanation, the lawsuits argue that the company’s actions exceed reasonable expectations of user privacy and are seeking damages, along with a halt to the scanning practice.
"No reasonable user would read generalized references to URLs, browser data, add-ons, device features, cookies, automated systems, security, anti-abuse, fraud prevention, or similar matters and understand that LinkedIn would covertly interrogate the user’s browser, enumerate or infer installed extensions," one of the complaints says.
One of the lawsuits, filed by California resident Jeff Ganan, claims the practice violates the Electronic Communications Privacy Act and the California Comprehensive Computer Data Access and Fraud Act, among other statutes. A second lawsuit, filed by Nicholas Farrell, raises similar concerns with a stronger focus on alleged violations of California-specific laws.
Fairlinked, which represents commercial LinkedIn users, is also connected to the controversy through one of its board members, believed to be Steven Morell, founder of Teamfluence. LinkedIn claims it previously restricted accounts linked to Teamfluence over concerns about misuse of member data.
Commenting on the dispute, LinkedIn’s Vice President for Legal, Sarah Wight, said: “So we acted to restrict the accounts associated with Teamfluence. In retaliation for their accounts being suspended, in January, the creator of Teamfluence sought an injunction against LinkedIn in Germany,” adding, “I’m happy to report that the court thoroughly rejected Teamfluence’s claims, reaffirming LinkedIn’s ability to act swiftly and decisively against bad actors who access member data inappropriately."
In a separate statement to PCMag, LinkedIn added, “Unfortunately, this is a case of an individual who lost in the court of law, but is seeking to re-litigate in the court of public opinion without regard for accuracy,” referring to the ongoing controversy.
Fairlinked, however, disputes LinkedIn’s narrative, stating: “the court case Microsoft cites has nothing to do with the surveillance operation. That case concerns an account suspension. BrowserGate was never mentioned in the proceedings. Microsoft implies it prevailed. It did not. A motion for a preliminary injunction was denied. Both plaintiffs have appealed. The litigation is ongoing.”
The group has also challenged LinkedIn’s justification for scanning browser extensions, arguing that the scope of data collection goes far beyond security needs. “Scanning for 6,000 extensions and transmitting the results to third parties without user consent is not server protection. It’s an illegal spying operation,” it says. "The scan list contains thousands of extensions that have nothing to do with scraping. Religious extensions. Political opinion extensions. Job search tools. Neurodivergent aids. Amazon image downloaders. Pharmacy operations tools. Delivery schedulers. Clearly, server protection is not the goal here.”
