Through LinkedIn’s more than one billion business users, the Microsoft unit has access to a vast array of personally-identifiable information, including data that could identify religious and political positions. What is less clear is what LinkedIn does with all of that data.
A small European company that sells a browser extension to leverage different aspects of LinkedIn data is running a campaign, which it calls BrowserGate, that accuses LinkedIn of “illegally searching your computer” and “running one of the largest corporate espionage operations in modern history.”
“Every time any of LinkedIn’s one billion users visits linkedin.com, hidden code searches their computer for installed software, collects the results, and transmits them to LinkedIn’s servers and to third-party companies including an American-Israeli cybersecurity firm,” the company claimed.
“The user is never asked. Never told. LinkedIn’s privacy policy does not mention it,” the BrowserGate site said. “Because LinkedIn knows each user’s real name, employer, and job title, it is not searching for anonymous visitors. It is searching identified people at identified companies.”
LinkedIn denies some of those accusations, and avoids addressing the remainder.
“This [accusation] is a house of cards built entirely upon a fabrication,” said a LinkedIn statement emailed to CIO.com. “We do disclose that we scan for browser extensions in our privacy policy, in order to detect abuse and provide defense for site stability.”
When asked whether it uses that data solely to do those things, LinkedIn did not reply.
Possible misuse
The key person behind the allegations calls himself Steven Morrell (not his legal name, which he asked CIO.com to not publish). The company he represents also has different names, including Teamfluence and Fairlinked.
Morrell said that LinkedIn is gathering data that includes sensitive details, including information that he argued could be used to determine religious and political leanings. Gathering such data, Morrell said, could violate European privacy rules.
But Morrell is not saying that LinkedIn is in fact using the data to determine those preferences, but merely that they could. Much the same could be said for almost all large companies.
Morell isn’t exactly unbiased, however. He and LinkedIn are also involved in a legal dispute in Germany, in which Morrell said that LinkedIn violated EU rules and that it improperly kicked him, and others, off the service.
LinkedIn countered that Morell and the other plaintiffs had violated its terms of service with their plugins. Last month, a judge in Munich sided with LinkedIn, dismissing the motion for a preliminary injunction.
Might cause compliance issues
Safayat Moahamad, research director at Info-Tech Research Group, said that compliance approaches throughout the European Union and the UK could indeed have some issues with this deep a level of data collection.
“European courts are likely to support platforms that restrict automated data harvesting, when they can plausibly link organization-level policy enforcement actions to consumer protection and regulatory compliance,” Moahamad said.
Advice for CIOs
Cybersecurity consultant Brian Levine, executive director of FormerGov, said enterprise CIOs should use these allegations, even if they prove to be untrue, to help them tweak their data strategy and privacy policies for 2026.
“Assuming the BrowserGate allegations are true, LinkedIn users should consider reducing the amount of identifiable, trackable, or sensitive data their browser exposes, and organizations should treat LinkedIn as a potentially hostile web environment until facts are verified,” Levine said. “Even if BrowserGate is exaggerated, browser fingerprinting is a real, widespread practice across the web. Treat LinkedIn like any other third-party data collector. LinkedIn has historically been treated as safe, [but] that assumption may need to be revisited.”
Levine said IT executives should “assume that LinkedIn can map your tech stack” and that, if the claims are accurate, LinkedIn could infer “which SaaS tools your employees use, which competitors you rely on, which job search tools your staff is using and which political/religious extensions appear inside your workforce.”
He added that IT should consider blocking LinkedIn on sensitive networks, or require it to only be accessed through VDI, as well as employing browser isolation techniques. Some companies might even want to use a separate isolated browser solely for LinkedIn, or, he said, “use a sandboxed browser session, such as Browserling or other cloud-isolated browsers.”
This article originally appeared on CSOonline.
Read More from This Article: Questions raised about how LinkedIn uses the petabytes of data it collects
Source: News