Mastodawn

digitalWestie 5d ago

LinkedIn Is Illegally Searching Your Computer

https://browsergate.eu/

LinkedIn Is Illegally Searching Your Computer

Microsoft is running one of the largest corporate espionage operations in modern history. Every time any of LinkedIn’s one billion users visits linkedin.com, hidden code searches their computer for installed software, collects the results, and transmits them to LinkedIn’s servers and to third-party companies including an American-Israeli cybersecurity firm. The user is never asked. Never told. LinkedIn’s privacy policy does not mention it. Because LinkedIn knows each user’s real name, employer, and job title, it is not searching anonymous visitors. It is searching identified people at identified companies. Millions of companies. Every day. All over the world.

BrowserGate

The headline seems pretty misleading. Here’s what seems to actually be going on:

> Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions. The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them to LinkedIn’s servers.

This does seem invasive. It also seems like what I’d expect to find in modern browser fingerprinting code. I’m not deeply familiar with what APIs are available for detecting extensions, but the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”).

I’m certainly not endorsing it, do think it’s pretty problematic, and I’m glad it’s getting some visibility. But I do take some issue with the alarmist framing of what’s going on.

I’ve come to mostly expect this behavior from most websites that run advertising code and this is why I run ad blockers.

How is probing your browser for installed extensions not "scanning your computer"?

Calling the title misleading because they didn't breach the browser sandbox is wrong when this is clearly a scenario most people didn't think was possible. Chrome added extensionId randomization with the change to V3, so it's clearly not an intended scenario.

> vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”)

They chose to put that particular extension in their target list, how is it not sinister? If the list had only extensions to affect LinkedIn page directly (a good chunk seem to be LinkedIn productivity tools) they would have some plausible deniability, but that's not the case. You're just "nothing ever happens"ing this.

afandian 5d ago

When "the browser is the OS", scanning that is a pretty big chunk of "your computer".

but the language of "your computer" implies files on your computer, as it would be what people commonly call it. Merely just the extension is not enough.

If it has the ability to scan your bookmarks, or visited site history, that would lend more credence to using the term "computer".

The title ought to have said "linkedIn illegally scans your browser", and that would make clear what is being done without being sensationalist.

blenderob 5d ago

> but the language of "your computer" implies files on your computer, as it would be what people commonly call it. Merely just the extension is not enough.

But the language of "your computer" also implies software on your computer including but not limited to Chrome extensions.

ImPostingOnHN 5d ago

It implies more than just the browser, which is likely why it was used for the post title. If it is exclusively limited to the browser, then "scans your browser" is more correct, and doesn't mislead the reader into thinking something is happening which isn't commonplace on the internet.

Extensions are files installed on your computer, though?

it doesn't have to be files. it could be in memory on the browser. Extensions don't imply files for anyone but the most technical of conversations. Certainly not to the laymen.

Having sensationalist titles should be called out at every opportunity.

blenderob 5d ago

> it doesn't have to be files. it could be in memory on the browser.

How'd that work? If it's in memory, the extensions would vanish everytime I shutdown Chrome? I'll have to reinstall all my extensions again everytime I restart Chrome?

Have you seen any browser that keeps extension in memory? Where they ask the user to reinstall their extensions everytime they start the browser?

justonceokay 5d ago

Are you defending LinkedIn’s behavior right now or are you just happy to be more technically correct (the best kind of correct!) than those around you? Trying to understand the angle

ImPostingOnHN 5d ago

The browser fingerprinting described is ubiquitous on the internet, used by players large and small. There are even libraries to do this.

Like OP, I don't consider behavior confined to the browser to be my computer. "Scans your browser" is both technically correct and less misleading. "Scans your computer" was chosen instead, to get more clicks.

This is just the next iteration of the issues with Linux file permissions, where the original threat model was “the computer is used by many users who need protection from each other”, and which no longer makes much sense in a world of “the computer is used by one or more users who need protection from each other and also from the huge amounts of potentially malicious remote code they constantly execute”.

And I spend a lot of my time at home on my computer. The article should have said LinkedIn is searching my house.

In the same way that scanning and identifying your microwave for food you put inside it is not the same as scanning your house and reading the letters in your postbox.

Your browser is a subset of your computer and lives inside a sandbox. Breaching that sandbox is certainly a much more interesting topic than breaking GDPR by browser fingerprinting.

There are rules and laws about fingerprinting too, I thought.

moffkalast 5d ago

Lol, lmao even. Lawmakers are banning privacy as fast as they can, this kind of personally identifiable stuff is perfectly aligned with their end goals.

Checking for extensions is barely anything when you consider the amount of system data a browser exposes in various APIs, and you can identify someone just by checking what's supported by their hardware, their screen res, what quirks the rendering pipeline has, etc. It's borderline trivial and impossible to avoid if you want a working browser, and if you don't the likes of Anubis will block you from every site cause they'll think you're a VM running scraper bot.

> How is probing your browser for installed extensions not "scanning your computer"?

I think most people would interpret “scanning your computer” as breaking out of the confines the browser and gathering information from the computer itself. If this was happening, the magnitude of the scandal would be hard to overstate.

But this is not happening. What actually is happening is still a problem. But the hyperbole undermines what they’re trying to communicate and this is why I objected to the title.

> They chose to put that particular extension in their target list, how is it not sinister?

Alongside thousands of other extensions. If they were scanning for a dozen things and this was one of them, I’d tend to agree with you. But this sounds more like they enumerated known extension IDs for a large number of extensions because getting all installed extensions isn’t possible.

If we step back for a moment and ask the question: “I’ve been tasked with building a unique fingerprint capability to combat (bots/scrapers/known bad actors, etc), how would I leverage installed extensions as part of that fingerprint?”

What the article describes sounds like what many devs would land on given the browser APIs available.

To reiterate, at no point am I saying this is good or acceptable. I think there’s a massive privacy problem in the tech industry that needs to be addressed.

But the authors have chosen to frame this in language that is hyperbolic and alarmist, and in doing so I thing they’re making people focus on the wrong things and actually obscuring the severity of the problem, which is certainly not limited to LinkedIn.

emacdona 5d ago

> I think most people would interpret “scanning your computer” as breaking out of the confines the browser and gathering information from the computer itself.

That is exactly how I interpreted it, and that is why I clicked the link. When I skimmed the article and realized that wasn't the case, I immediately thought "Ugh, clickbait" and came to the HN comments section.

> To reiterate, at no point am I saying this is good or acceptable. I think there’s a massive privacy problem in the tech industry that needs to be addressed.

100% Agree.

So, in summary: what they are doing is awful. Yes, they are collecting a ton of data about you. But, when you post with a headline that makes me think they are scouring my hard drive for data about me... and I realize that's not the case... your credibility suffers.

Also, I think the article would be better served by pointing out that LinkedIn is BY FAR not the only company doing this...

But LinkedIn is the one social network many people literally cannot escape to put food on the table.

I don't care about how much spying is going on in ESPN. I can ditch it at the shadow of a suspicion. Not so with LinkedIn.

This is very alarming, and pretending it's not because everyone else does it sounds disingenuous to me.

franktankbank 5d ago

That sounds problematic and is only supported by people mindlessly agreeing to it. I know someone who got jobs at google and apple with no linkedin, and he wasn't particularly young. What do you do in the face of it? I say quit entirely. It was an easy decision because I got nothing out of it during the entire time I was on it.

ryandrake 5d ago

> What the article describes sounds like what many devs would land on given the browser APIs available.

> To reiterate, at no point am I saying this is good or acceptable. I think there’s a massive privacy problem in the tech industry that needs to be addressed.

These two sentences highlight the underlying problem: Developers without an ethical backbone, or who are powerless to push back on unethical projects. What the article describes should not be "what many devs would land on" naturally. What many devs should land on is "scanning the user's browser in order to try to fingerprint him without consent is wrong and we cannot do it."

To put it more extreme: If a developer's boss said "We need to build software for a drone that will autonomously fly around and kill infants," The developer's natural reaction should not be: "OK, interesting problem. First we'll need a source of map data, and vision algorithm that identifies infants...." Yet, our industry is full of this "OK, interesting technology!" attitude.

Unfortunately, for every developer who is willing to draw the line on ethical grounds, there's another developer waiting in the recruiting pipeline more than willing to throw away "doing the right thing" if it lands him a six figure salary.

I completely agree.

Fighting against these kinds of directives was a large factor in my own major burnout and ultimately quitting big tech. I was successful for awhile, but it takes a serious toll if you’re an IC constantly fighting against directors and VPs just concerned about solving some perceived business problem regardless of the technical barriers.

Part of the problem is that these projects often address a legitimate issue that has no “good” solution, and that makes pushing back/saying no very difficult if you don’t have enough standing within the company or aren’t willing to put your career on the line.

I’d be willing to bet good money that this LinkedIn thing was framed as an anti-bot/anti-abuse initiative. And those are real issues.

But too many people fail to consider the broader implications of the requested technical implementation.

> These two sentences highlight the underlying problem: Developers without an ethical backbone, or who are powerless to push back on unethical projects. What the article describes should not be "what many devs would land on" naturally. What many devs should land on is "scanning the user's browser in order to try to fingerprint him without consent is wrong and we cannot do it."

I think using LinkedIn is pretty much agreeing to participate in “fingerprinting” (essentially identifying yourself) to that system. There might be a blurry line somewhere around “I was just visiting a page hosted on LinkedIn.com and was not myself browsing anyone else’s personal information”, but otherwise LinkedIn exists as a social network/credit bureau-type system. I’m not sure how we navigate this need to have our privacy while simultaneously needing to establish our priors to others, which requires sharing information about ourselves. The ethics here is not black and white.

jcgrillo 5d ago

You can't actually push back as an IC. Tech companies aren't structured that way. There's no employment protection of any kind, at least in the US. So the most you can do is protest and resign, or protest and be fired. Either way, it'll cost you your job. I've paid that price and it's steep. There's no viable "grassroots" solution to the problem, it needs to come from regulation. Managers need to serve time in prison, and companies need to be served meaningfully damaging fines. That's the only way anything will get done.

nightpool 5d ago

> I think most people would interpret “scanning your computer” as breaking out of the confines the browser and gathering information from the computer itself.

Yes, but I also think that most people would interpret "Getting a full list of all the Chrome extensions you have installed" as a meaningful escape/violation of the browser's privacy sandbox. The fact that there's no getAllExtensions API is deliberate. The fact that you can work around this with scanning for extension IDs is not something most people know about, and the Chrome developers patched it when it became common. So I don't think describing it as something everybody would expect is totally fine and normal for browsers to allow is correct.

> I also think that most people would interpret "Getting a full list of all the Chrome extensions you have installed" as a meaningful escape/violation of the browser's privacy sandbox

I think that’s a far more reasonable framing of the issue.

> I don't think describing it as something everybody would expect is totally fine and normal for browsers to allow is correct.

I agree that most people would not expect their extensions to be visible. I agree that browsers shouldn’t allow this. I, and most privacy/security focused people I know have been sounding the alarm about Chrome itself as unsafe if you care about privacy for awhile now.

This is still a drastically different thing than what the title implies.

> Alongside thousands of other extensions. If they were scanning for a dozen things and this was one of them, I’d tend to agree with you. But this sounds more like they enumerated known extension IDs for a large number of extensions because getting all installed extensions isn’t possible.

To take a step back further: what you're saying here is that gathering more data makes it less sinister. The gathering not being targeted is not an excuse for gathering the data in the first place.

It's likely that the 'naive developer tasked with fingerprinting' scenario is close to the reality of how this happened. But that doesn't change the fact that sensitive data -- associated with real identities -- is now in the hands of MS and a slew of other companies, likely illegally.

> But the authors have chosen to frame this in language that is hyperbolic and alarmist, and in doing so I thing they’re making people focus on the wrong things and actually obscuring the severity of the problem, which is certainly not limited to LinkedIn.

The article is not hyperbolizing by exploring the ramifications of this; and it's true that this sort of tracking is going on everywhere, but neither is it alarmist to draw attention to a particularly egregious case. What wrong things does it focus on?

franktankbank 5d ago

> Alongside thousands of other extensions. If they were scanning for a dozen things and this was one of them, I’d tend to agree with you. But this sounds more like they enumerated known extension IDs for a large number of extensions because getting all installed extensions isn’t possible.

If that's all it takes to fool you then its pretty trivial way to hide your true intentions.

1shooner 5d ago

>Calling the title misleading because they didn't breach the browser sandbox is wrong

By this logic we could also say that LinkedIn scans your home network.

andersonpico 5d ago

Websites could scan your local network covertly up until a few years ago; now it requires explicit permission (like notifications, location, etc)