LinkedIn is facing two lawsuits over its practice of scanning users’ browsers to determine which extensions they’re running. Two class action complaints were filed by different law firms on behalf of different plaintiffs Monday in US District Court for the Northern District of California.
Each complaint has one named plaintiff and seeks to represent a proposed class including all LinkedIn users in the US. The complaints seem to rely heavily on the recent “BrowserGate” report by a German entity called Fairlinked, which describes itself as a trade association and advocacy group for commercial LinkedIn users.
Fairlinked appears to be run by the same people behind Teamfluence, an Estonian software company that sued LinkedIn in Munich in January. LinkedIn says Teamfluence distributed a browser extension that scraped LinkedIn user data in violation of the user agreement, and that its LinkedIn accounts were suspended.
LinkedIn, a Microsoft subsidiary, does not deny that it scans browsers to identify extensions. There is a dispute over whether LinkedIn adequately discloses the scanning and how it uses the information it gathers. LinkedIn says it looks for extensions that violate its terms by scraping user data without consent.
The scanning is performed on Google Chrome and Chromium-based browsers like Microsoft Edge. LinkedIn’s privacy policy discloses that the company uses cookies and similar technologies to collect information about each user’s “web browser and add-ons.” LinkedIn acknowledges collecting this data along with other information about the user’s network and device, such as the IP address and operating system.
The “add-ons” reference in LinkedIn’s privacy policy seems to refer to browser extensions, as the two words are often used interchangeably. The BrowserGate report and the two lawsuits filed this week allege that the privacy policy disclosure isn’t extensive enough.
“Plaintiff and Class members had an objectively reasonable expectation of privacy because, unlike other forms of tracking, Defendant does not disclose in its Privacy Policy or elsewhere that it tracks users’ browser extensions or that it discloses data about those extensions to third parties,” said a lawsuit whose named plaintiff is California resident Nicholas Farrell.
The other lawsuit alleges that “LinkedIn crossed the line by using anti-abuse justifications as cover for massive covert browser surveillance on a global scale that far exceeded both necessity and any iteration of consent.” The lawsuit’s named plaintiff is California resident Jeff Ganan.
Group alleged LinkedIn illegally searches computers
LinkedIn says the allegations stem from its dispute with Teamfluence, which sells what it calls a LinkedIn “radar” that automatically collects information about interactions on the LinkedIn website. Teamfluence offers a Chrome extension.
“This is a house of cards built entirely upon a fabrication,” LinkedIn said in a statement provided to Ars and other media outlets. “We do disclose that we scan for browser extensions in our Privacy Policy, in order to detect abuse and provide defense for site stability.”
Fairlinked’s BrowserGate report alleged that “LinkedIn Is illegally searching your computer” and that “Microsoft is running one of the largest corporate espionage operations in modern history.” Fairlinked says LinkedIn uses “a hidden JavaScript program” to scan browsers for the presence of 6,222 extensions.
This includes scanning “for every major competitor to Microsoft’s own products—Salesforce, HubSpot, Pipedrive—building company-level intelligence on which businesses use which software,” it says. “Because LinkedIn knows your name, employer, and role, each scan aggregates into a corporate technology profile assembled without anyone’s knowledge.”
Fairlinked’s argument that LinkedIn is gathering personal information is based on the fact that the extensions it detects include “an Islamic content filter,” an “anti-Zionist political tagger,” and “a tool designed for neurodivergent users.” Fairlinked claims that looking for these extensions on user devices amounts to “processing data that reveals religious beliefs, political opinions, or health conditions” and that this requires explicit consent under EU law.
“Every time any of LinkedIn’s one billion users visits linkedin.com, hidden code searches their computer for installed software, collects the results, and transmits them to LinkedIn’s servers and to third-party companies including an American-Israeli cybersecurity firm,” the report said. “The user is never asked. Never told. LinkedIn’s privacy policy does not mention it.”
Fairlinked’s evidence that LinkedIn transmits data to third-party firms includes the presence of a hidden iframe from American-Israeli firm Human Security, which offers technology for detecting and blocking bots. Fairlinked also cites LinkedIn’s use of a device fingerprinting script, but the script is associated with a LinkedIn URL rather than a third-party website. Fairlinked additionally points to LinkedIn’s use of Google’s reCAPTCHA, a widely used service designed to detect and protect against bots.
LinkedIn: BrowserGate claims “are plain wrong”
The Ganan lawsuit said that “LinkedIn did not disclose the role of third parties involved in this data extraction—nor what those parties or their subprocessors or clients could or would do with that data.”
A LinkedIn spokesperson today pointed Ars to a Hacker News post last week in which the company responded to the BrowserGate allegations. LinkedIn said:
The claims made on the [BrowserGate] website linked here are plain wrong. The person behind them is subject to an account restriction for scraping and other violations of LinkedIn’s Terms of Service.
To protect the privacy of our members, their data, and to ensure site stability, we do look for extensions that scrape data without members’ consent or otherwise violate LinkedIn’s Terms of Service.
LinkedIn’s post on Hacker News said it looks for extensions that “have static resources (images, javascript) available to inject into our webpages… We use this data to determine which extensions violate our terms, to inform and improve our technical defenses, and to understand why a member account might be fetching an inordinate amount of other members’ data, which at scale, impacts site stability. We do not use this data to infer sensitive information about members.”
LinkedIn lawyer Sarah Wright, a company vice president, wrote yesterday that “Teamfluence was distributing a browser extension that scraped member data from LinkedIn without our members’ knowledge or consent,” in violation of LinkedIn’s user agreement. “In retaliation for their accounts being suspended, in January the creator of Teamfluence sought an injunction against LinkedIn in Germany, demanding that their accounts be restored and claiming that LinkedIn’s enforcement of its User Agreement violated various EU laws.”
Wright states that “the court thoroughly rejected Teamfluence’s claims, reaffirming LinkedIn’s ability to act swiftly and decisively against bad actors who access member data inappropriately. The judge not only ruled in our favor, but also found Teamfluence itself is violating data protection laws, and LinkedIn is entitled to protect our members.”
We contacted Teamfluence today and will update this article if it provides a response.
“Unfortunately, this is a case of an individual who lost in the court of law, but is seeking to re-litigate in the court of public opinion without regard for accuracy,” LinkedIn said.
Lawyer: LinkedIn “does not meaningfully deny” allegation
It’s not uncommon for lawyers to file class action lawsuits shortly after explosive claims are made by media outlets or advocacy groups. The Farrell lawsuit against LinkedIn extensively quotes the BrowserGate report and describes Fairlinked as a “European advocacy group” without mentioning its ties to Teamfluence. We contacted the lawyers who filed the lawsuit and will update this article if we get a response.
The Ganan lawsuit doesn’t mention the BrowserGate report but makes similar allegations. J.R. Howell, the Santa Monica attorney who filed the complaint, told Ars today that the suit’s allegations “were based on the firm’s own review and analysis of LinkedIn’s client-side code and related technical behavior, as well as the applicable US and California legal framework.”
Howell told Ars that LinkedIn’s response to the claims does not refute the central allegation regarding lack of consent.
“LinkedIn’s public response does not meaningfully deny the core conduct alleged in the complaint,” Howell told Ars. “The real question is not whether LinkedIn says it was fighting abuse of the terms of service. The question is whether users were actually informed, in any clear and meaningful way, that LinkedIn would secretly probe their browsers for installed extensions, extract session-linked data, and make that data available to undisclosed third parties whose own uses could extend beyond a one-time compliance check.”
Howell argues that a “reasonable user does not consent to mass browser surveillance and third-party data exploitation through vague references to security, cookies, add-ons, or abuse prevention.”
Both lawsuits allege that LinkedIn violated the California Constitution’s protection against invasion of privacy and the California Comprehensive Computer Data Access and Fraud Act. The Ganan lawsuit also alleges that LinkedIn violated the federal Electronic Communications Privacy Act. Both lawsuits seek financial damages and an injunction forcing the company to change its data-collection and disclosure practices.
