This is a most excellent place for technology news and articles.
First comment from the link:
Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions. The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them to LinkedIn’s servers.
That is very different from “searches their computer for installed software”
Well, I guess it’s technically installed software… but the scope is significantly less than what’s implied from the headline. My immediate reaction was, “how?”
This is basically standard browser fingerprinting, hence why it’s sold for surveillance activities. Linked in is big brother.
Yeah, the description is misleading because anyone reading it is thinking desktop software. But… hear me out. I know that all the surveillance capitalism companies do this, but in this case it is literally pairing what is mostly corporate IT policy data (browser, hardware, OS, and extensions) with employee name, title, and employer. That does technically fit the definition of corporate espionage, and I am always open to getting more people -especially people with some levers in government- onto “our side” of the Internet privacy conflict.
Still don’t really understand why browsers expose this data to sites.
Web browsers are just such a massive security hole.
On the contrary, websites are incredibly sandboxed. It’s damn near impossible to find out anything about the computer. Off the top of my head: Want to know where the file lives that the user just picked? Sure, it’s C:\fakepath\filename. Wanna check the color of a link to see if the user has visited the site before? No need to check. The answer will be ‘false’. Always.
Here's the information a web server needs to deliver content to a browser:
Everything else is a fucking security hole. There's no good reason for servers to know what extensions you have installed, what OS you're running, the dimensions of your browser window, where your mouse cursor is positioned, or any one of a thousand other data points that browsers freely hand over.
There are absolutely reasons. Firefox is done by a reasonable job of anti-fingerprinting, and it's a fine line to walk to disable as many of those indicators as possible without breaking sites.
Browsers do give away too much, but at least Firefox is working on it. And it's not extremely straightforward.
I use waterfox with all of the privacy and security settings enabled to the max, plus a few extensions like ublock origin, decentraleyes, consent-o-matic, and clearurls.
Not that many sites break. And the ones that do, I don't visit. If you don't need to offer an https option, or you don't work without trackers, I don't need to go to your site. Simple as that.
The browser can never know what information is needed for a certain use case. So it needs to be permissive in order to not break valid uses.
For instance, your list does not include the things a user clicks on the website. But that’s exactly the info I needed to log recently. A user was complaining that dropdowns would close automatically. We quickly reached the assumption that something was sending two click events. In order to prove that, I started logging the users’ clicks. If there were two in the same millisecond, then it’s definitely not a bug but a hardware (or driver or OS or whatever) issue.
Bug fixing is not a reason to enable massive privacy violations.
If the site doesn't know the window width of can't react to mobile or desktop users automatically or scale elements/ change to best for your display.
You need mouse input for hovering effects as well
That can all be done 100% client side. The server does not need this information.
If you can do it client side, you can send it to a server...
The difference is intent.
you can send it to a server
Yes, because web browsers, under current web architecture, allow this.
This is entirely my point.
They will always allow it as long as you have javascript or any other code.
Ah I read as the Brower doesn't need that data. I'd say it needs width (maybe height) but that's it
But this info talked about in OP is done via client sending the data to a server not the server getting it all the time
WTF is this article? Browser extensions are standard browser fingerprinting data.
Gonna have to agree here. Article headline is rage bait
That sounds… normal? and maybe even sensible, especially if LinkedIn does SSR, since that could allow the servers know how to tailor the content to the specific browser requesting a page.
In what fucking world is it “normal” or “sensible” to scan your browser extensions to decide how to render a page? Please explain.
I’ve been doing web development for 30 years and I have not once ever had the desire or need to do this.
The reason is fingerprinting. Verrrry old technique. Adtech stuff. You might collect browser extension, webgl information, CPU core count, screen resolution, IP address, reverse dns, locale, headers, user agent, akamai hash, etc. The reason is so that these metrics can then be enriched to build a consumer profile and used in analytics
Thanks, I worked in adtech for a number of years so I’m aware of this use case. I could tell some stories that would likely surprise you at how sophisticated that industry has been for a long time, even as long as 10-15 years ago.
But the parent post specifically said this was “sensible” and maybe “normal” to do this to decide how to render a page. My question was specifically how that claim makes sense at all.
I can only think of reasons that are meant to block you based on what you are using to augment your browsing experience.
That might have been a sensible argument 20 years ago. Mozilla has spent the last 5 or so slowly stripping most of that out for “anti-fingerprinting” without breaking website layout.
I have been doing web development pretty much since the web was created.
"Sniffing your browser extensions is normal to be able to render the page correctly" is not and was never a sensible argument. 20 years ago, neither Chrome nor the iPhone existed yet. Most people browsed the web on computers, and "works best in Internet Explorer" was widespread. Web developers were lazy and many of them literally only tested their sites in IE on Windows. Browser extensions themselves were much more of a niche thing since IE didn't support them.
I will have to yield to your experience then. I mainly thought of it as a naive type of sensible argument, given people were not all that concerned about tracking and particularly browser fingerprinting. I guess back then, the main thing was web developers who used flash needed to check for it. But those people were anti-open web back then and deserved to be ignored by the browser makers.
I am guessing you were strongly in the open web camp back then. I am glad we sort of won that particular battle, even if we lost so many others.
DuckDuckGo my friends
DuckDuckGo is still a Chromium browser. Firefox, buddies, Firefox.
And yet the thread you linked says they are scanning for browser plugins.
Which is very different from scanning our computers....
Right? It describes some fingerprinting techniques the site uses, but browser sandboxing limits the available data.
This type of scan is uncommon, and slightly more invasive than other tracking techniques, but neither new nor urgent.
It doesn't paint the site operator as a paragon of privacy for sure tho.
Browsing extensions are being discovered by directly probing them - over 6,200 of them - and they are particular extensions tied to religious, political, and neurodivergent use cases. This is more than just browser fingerprinting - it is breaching the privacy of the user and profiling them in ways deemed illegal in the EU (GDPR) and even California. That doesn't include the tracking cookies, either.
Theft, as usual
Alright, I'll bite. What would one use instead of LinkedIn
I am not a big fan of it myself, but it's been providing me insight on the corporate world. I have had great job-seeking experience there, especially with the Easy Apply feature.
Recently, tho, it's been shitty, especially with all the avalance of AI slop, both as content as well as job requirements.
I'd like to know if there's a less shitty alternative.
Never used it. I just apply on a given company's website, after finding out about the job on various job boards. I'm not even sure where LinkedIn is supposed to come into play?
Same here, never used LinkedIn and don't see any reason for that. LinkedIn is full of self-promoters, none of whom I want to become.
Open job opportunities are posted everywhere on specialized job platforms. Just subscribe to job postings in your own field and then apply directly.
That's for after youre onboarded, so they know what names to drop when theyre sending you scam texts and emails.
So whatever you do, make sure first thing you do when you get a new job is drop as much PII in there about your current employer so your IT department doesnt get too lax with thinking people are finally figuring out that the CEO that you've never even met in person would totally send you a text asking you to buy 1000 bucks worth of iTunes giftcards on your second day of employment.
Every professional job I've ever gotten was through Indeed. Had nothing to do with LinkedIn.
I just don't use it. Not sure what exactly I'm supposed to be missing out on.
This is the answer. If you can’t get work or stay on top of your field without LinkedIn, that’s a you problem. Not an industry problem. If you want to play the grind game, yeah have fun on Facebook for stooges.
The author of this article obviously isn't searching my computer though, since they don't know shit about who is or isn't illegally searching it. But it certainly isn't whatever this linedin thing is.
