Inside the Structure of a Secret Intelligence Network
A recent technical investigation has brought to light the sophisticated architecture of LinkedIn’s hidden browser scanning system. This system, which operates without clear consent or disclosure, allows LinkedIn to collect a vast array of data on its users. Conducted by Fairlinked e.V., this investigation reveals how the system builds intelligence profiles across 200 countries, consolidating data from more than 6,000 Chrome extensions.
Inside the Structure of a Secret Intelligence Network
The BrowserGate report highlights a three-stage detection architecture at the core of LinkedIn’s system. This structure comprises three fallback methods that ensure comprehensive scanning of browser extensions, revealing user activities without explicit permission.
Three-Stage Detection Process
- Direct Communication: Attempts to establish a connection with an extension through Chrome’s messaging API. This stage can fail if the developer disables this feature.
- Resource Probing: LinkedIn employs the fetch() API to request known internal files from each extension, determining their presence based on response success.
- DOM Tree Inspection: The system inspects the entire Document Object Model (DOM) for signs of extensions, capturing traces left by injected elements.
These methods are designed to uncover extensions that may not be flagged by earlier stages, thereby enhancing the accuracy of data collection.
Device Fingerprinting
The intelligence network collects 48 distinct characteristics, ranging from hardware metrics to network identifiers. This is categorized under LinkedIn’s Anti-fraud Platform Features Collection (APFC), which is also referred to as DNA (Device Network Analysis). These data points include:
- CPU core count
- Available device memory
- Screen resolution and color depth
- Network parameters like IP address and connection type
The system also records whether users opt for browser settings like “Do Not Track,” but does not honor this request in data collection.
Integration with Third-Party Services
LinkedIn’s scanning infrastructure also transmits data to third parties such as HUMAN Security and Merchant Pool. These integrations operated under the radar, without being mentioned in LinkedIn’s privacy policies.
Legal Implications and Violations
The BrowserGate investigation reveals significant legal vulnerabilities for LinkedIn. It identified potential violations of GDPR Article 9, which prohibits the processing of certain sensitive personal data without consent. This includes insights into religious beliefs, political opinions, and health data.
Jurisdictional Concerns
Legal repercussions could stem from several jurisdictions across Europe, the UK, and California. The potential penalties under GDPR alone could amount to millions of euros.
Impact on Users and Marketers
For users, these practices represent a serious invasion of privacy, with their data collected without clear consent. For marketers, the implications are twofold: while LinkedIn provides robust advertising tools, their methods of monitoring competitor tools may offer them an unfair competitive advantage.
The investigation poses crucial questions regarding data ethics and compliance in the evolving landscape of digital marketing, making it essential for businesses and regulators to engage in ongoing discussions surrounding privacy and consent.
Conclusion
The revelations from the investigation highlight the urgent need for regulatory oversight. As LinkedIn continues to dominate the B2B advertising landscape, it must address the balance between leveraging data for business purposes and respecting user privacy rights.
