LinkedIn Is Illegally Searching Your Computer
LinkedIn is using invasive techniques to fingerprint your browser. Together with its understanding of your identity and professional history, it has the ingredients for an incredibly detailed profile.
This is quite a serious accusation:
“Every time any of LinkedIn’s one billion users visits linkedin.com, hidden code searches their computer for installed software, collects the results, and transmits them to LinkedIn’s servers and to third-party companies including an American-Israeli cybersecurity firm.”
This is an EU-based site, hence the reference to the location of the cybersecurity firm. The authors are quick to point out that they believe this scanning is illegal in the EU.
The claim is also partially a little bit hyperbolic. “Installed software” makes it sound like LinkedIn is scanning your whole computer. In reality, it’s checking for browser extensions. That’s a fairly common component of modern browser fingerprinting: at this point it’s fairly well-known that, because of the individual mix of extensions, fonts, etc available to a browser, this can be used to track individuals on the web without using cookies.
That’s not to say that it’s not invasive — it clearly is!
Browser extensions can cover a ton of identifying activity: they can reveal a person’s religion, sexuality, interests, political orientation, and so on. The implication is that this is specifically bad here because LinkedIn knows the identity of its logged-in users; as a result, this is information it could use to hydrate profiles of the specific, known individuals who use its site for unknown purposes. It’s a little over the top to call this espionage, as the linked site here does, but it’s an abuse of trust that is certainly worth calling out.
I was mostly interested in how this works; if LinkedIn is doing it, then others surely are too. The answer seems to be a set of JS calls that work in most Chromium-based browsers (Chrome, Edge, Arc, Dia, etc). They’re checking for over six thousand extensions that they know and care about, which all have specific “tells” that a website can check for. And then they check to see if the page has been modified by anything to catch any that weren’t on their list. They also check, cheekily, to see if you have “Do Not Track” switched on, but track you regardless (it’s just another part of the fingerprint to them). Finally, they’re gathering everything from your screen size and CPU type to your battery level.
This all does double duty: the resulting fingerprint is so detailed that they can track you and notice when you’re using a different computer or have changed your settings, but can also be used to profile you for profit.
The quickest solution is to use Firefox, which blocks these kinds of fingerprinting attacks. Zen Browser, which is based on the Firefox core, is my day-to-day browser, and I love it. But Chromium-based browsers need to do more to stop fingerprinting, and jurisdictions like the EU need to ban the practice outright.
[Link]
