Every time one of the billion users visits LinkedIn, something far more complex happens behind the familiar interface. Beneath the surface, embedded scripts quietly scan the user’s device, identifying installed software and browser extensions. This information is then transmitted not only to LinkedIn’s servers but also to third-party entities, including an American-Israeli cybersecurity firm.
What makes this particularly concerning is the absence of transparency. Users are neither informed nor asked for consent. Even LinkedIn’s privacy policy remains silent on this behavior. Unlike anonymous tracking systems, LinkedIn operates on real identities. It knows who you are, where you work, and what you do. This transforms what might otherwise be generic telemetry into deeply personal surveillance tied to identifiable individuals and organizations across the globe.
A Silent Breach of Sensitive Personal Data
The scope of the data being collected goes far beyond harmless analytics. By scanning installed extensions, LinkedIn can infer highly sensitive attributes about its users. These include religious affiliations, political leanings, disabilities, and even job-seeking behavior.
For example, certain browser extensions are specifically designed for practicing Muslims, while others reveal political preferences or support neurodivergent individuals. More notably, LinkedIn reportedly scans for over 500 job search-related tools. This means it can potentially identify users who are discreetly exploring new opportunities—on the same platform where their current employers can view their profiles.
Under European Union law, such data falls into a category that is not merely regulated but strictly prohibited from processing without explicit consent. In this case, there is no visible consent mechanism, no disclosure, and no clear legal basis for such data collection.
Competitive Intelligence or Corporate Espionage?
Another dimension of this activity raises serious concerns about fair competition. LinkedIn is said to scan for more than 200 competing tools, including well-known platforms like Apollo, Lusha, and ZoomInfo. Because LinkedIn has visibility into users’ employers, it can effectively map which companies are using which competing services.
This creates a powerful, and potentially abusive, form of competitive intelligence. By extracting this data directly from users’ browsers, LinkedIn gains insight into the customer bases of rival companies without their knowledge or approval. Reports suggest that this information has already been used to send enforcement warnings to users of third-party tools, indicating that the data is not merely collected but actively utilized.
Regulatory Evasion and the Illusion of Compliance
In 2023, LinkedIn was designated as a gatekeeper under the EU’s Digital Markets Act, which required it to open its platform to third-party integrations. In response, LinkedIn introduced two limited APIs and presented them as compliance measures.
However, these APIs reportedly handle only about 0.07 calls per second, a negligible figure compared to LinkedIn’s internal “Voyager” API, which processes approximately 163,000 calls per second. Interestingly, while Microsoft’s extensive compliance report mentions APIs hundreds of times, it makes no reference to Voyager.
At the same time, LinkedIn appears to have intensified its monitoring of third-party tools. The number of tracked products reportedly increased from around 461 in 2024 to over 6,000 by early 2026. This suggests a paradoxical approach: while publicly complying with regulations, LinkedIn may be privately expanding mechanisms to detect and potentially penalize the very tools those regulations aim to protect.
The Invisible Web of Third-Party Tracking
Beyond its own data collection, LinkedIn integrates third-party tracking mechanisms that operate invisibly. One such element comes from HUMAN Security (formerly PerimeterX), embedded as a zero-pixel tracker that sets cookies without user awareness. Additional scripts, including one from Google, execute silently during page loads.
All of this activity is encrypted and undisclosed, making it nearly impossible for users to understand or control what data is being shared. The result is a layered tracking ecosystem that operates entirely out of sight.
Our Perspective on This Case
From a technical and ethical standpoint, this situation represents a significant breakdown in trust between a platform and its users. Platforms like LinkedIn are built on professional credibility and identity, which makes undisclosed surveillance particularly problematic. When users engage with such a service, they do so under the assumption that their data is handled transparently and responsibly.
What stands out here is not just the scale of the data collection, but the nature of it. Inferring sensitive personal attributes and competitive business intelligence without consent crosses into territory that many jurisdictions consider unlawful. Even more concerning is the apparent mismatch between public regulatory compliance and internal operational practices.
In our view, this case highlights a broader issue within the tech industry: the gap between what companies disclose and what they actually do behind the scenes. As regulations evolve, enforcement must also become more technically sophisticated to detect such hidden behaviors.
For users and organizations alike, this serves as a reminder to critically evaluate the platforms they rely on daily. Transparency should not be optional, especially when dealing with data that can impact careers, privacy, and competitive integrity.
