The headline seems pretty misleading. Here’s what seems to actually be going on:

> Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions. The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them to LinkedIn’s servers.

This does seem invasive. It also seems like what I’d expect to find in modern browser fingerprinting code. I’m not deeply familiar with what APIs are available for detecting extensions, but the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”).

I’m certainly not endorsing it, do think it’s pretty problematic, and I’m glad it’s getting some visibility. But I do take some issue with the alarmist framing of what’s going on.

I’ve come to mostly expect this behavior from most websites that run advertising code and this is why I run ad blockers.

• andersonpico

  today at 1:57 PM

  How is probing your browser for installed extensions not "scanning your computer"?

  Calling the title misleading because they didn't breach the browser sandbox is wrong when this is clearly a scenario most people didn't think was possible. Chrome added extensionId randomization with the change to V3, so it's clearly not an intended scenario.

  > vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”)

  They chose to put that particular extension in their target list, how is it not sinister? If the list had only extensions to affect LinkedIn page directly (a good chunk seem to be LinkedIn productivity tools) they would have some plausible deniability, but that's not the case. You're just "nothing ever happens"ing this.

  • haswell

    today at 2:19 PM

    > How is probing your browser for installed extensions not "scanning your computer"?

    I think most people would interpret “scanning your computer” as breaking out of the confines the browser and gathering information from the computer itself. If this was happening, the magnitude of the scandal would be hard to overstate.

    But this is not happening. What actually is happening is still a problem. But the hyperbole undermines what they’re trying to communicate and this is why I objected to the title.

    > They chose to put that particular extension in their target list, how is it not sinister?

    Alongside thousands of other extensions. If they were scanning for a dozen things and this was one of them, I’d tend to agree with you. But this sounds more like they enumerated known extension IDs for a large number of extensions because getting all installed extensions isn’t possible.

    If we step back for a moment and ask the question: “I’ve been tasked with building a unique fingerprint capability to combat (bots/scrapers/known bad actors, etc), how would I leverage installed extensions as part of that fingerprint?”

    What the article describes sounds like what many devs would land on given the browser APIs available.

    To reiterate, at no point am I saying this is good or acceptable. I think there’s a massive privacy problem in the tech industry that needs to be addressed.

    But the authors have chosen to frame this in language that is hyperbolic and alarmist, and in doing so I thing they’re making people focus on the wrong things and actually obscuring the severity of the problem, which is certainly not limited to LinkedIn.

    • ryandrake

      today at 2:44 PM

      > What the article describes sounds like what many devs would land on given the browser APIs available.

      > To reiterate, at no point am I saying this is good or acceptable. I think there’s a massive privacy problem in the tech industry that needs to be addressed.

      These two sentences highlight the underlying problem: Developers without an ethical backbone, or who are powerless to push back on unethical projects. What the article describes should not be "what many devs would land on" naturally. What many devs should land on is "scanning the user's browser in order to try to fingerprint him without consent is wrong and we cannot do it."

      To put it more extreme: If a developer's boss said "We need to build software for a drone that will autonomously fly around and kill infants," The developer's natural reaction should not be: "OK, interesting problem. First we'll need a source of map data, and vision algorithm that identifies infants...." Yet, our industry is full of this "OK, interesting technology!" attitude.

      Unfortunately, for every developer who is willing to draw the line on ethical grounds, there's another developer waiting in the recruiting pipeline more than willing to throw away "doing the right thing" if it lands him a six figure salary.

      • turtletontine

        today at 6:16 PM

        > These two sentences highlight the underlying problem: Developers without an ethical backbone, or who are powerless to push back on unethical projects.

        One reason your boss is eager to replace everyone with language models, they won’t have any “ethical backbone” :’)

        • DrewADesign

          today at 6:43 PM

          Many developers overestimate their agency without extremely high labor demand. We got a say because replacing us was painful, not because of our ethics and wisdom. Without that leverage, developers are cogs just like every other part of the machine.

      • haswell

        today at 2:54 PM

        I completely agree.

        Fighting against these kinds of directives was a large factor in my own major burnout and ultimately quitting big tech. I was successful for awhile, but it takes a serious toll if you’re an IC constantly fighting against directors and VPs just concerned about solving some perceived business problem regardless of the technical barriers.

        Part of the problem is that these projects often address a legitimate issue that has no “good” solution, and that makes pushing back/saying no very difficult if you don’t have enough standing within the company or aren’t willing to put your career on the line.

        I’d be willing to bet good money that this LinkedIn thing was framed as an anti-bot/anti-abuse initiative. And those are real issues.

        But too many people fail to consider the broader implications of the requested technical implementation.

      • jt2190

        today at 3:47 PM

        > These two sentences highlight the underlying problem: Developers without an ethical backbone, or who are powerless to push back on unethical projects. What the article describes should not be "what many devs would land on" naturally. What many devs should land on is "scanning the user's browser in order to try to fingerprint him without consent is wrong and we cannot do it."

        I think using LinkedIn is pretty much agreeing to participate in “fingerprinting” (essentially identifying yourself) to that system. There might be a blurry line somewhere around “I was just visiting a page hosted on LinkedIn.com and was not myself browsing anyone else’s personal information”, but otherwise LinkedIn exists as a social network/credit bureau-type system. I’m not sure how we navigate this need to have our privacy while simultaneously needing to establish our priors to others, which requires sharing information about ourselves. The ethics here is not black and white.

      • jcgrillo

        today at 4:18 PM

        You can't actually push back as an IC. Tech companies aren't structured that way. There's no employment protection of any kind, at least in the US. So the most you can do is protest and resign, or protest and be fired. Either way, it'll cost you your job. I've paid that price and it's steep. There's no viable "grassroots" solution to the problem, it needs to come from regulation. Managers need to serve time in prison, and companies need to be served meaningfully damaging fines. That's the only way anything will get done.

        • philipallstar

          today at 7:33 PM

          > There's no viable "grassroots" solution to the problem

          Does something like running the duckduckgo extension not help?

        • worik

          today at 8:07 PM

          > There's no viable "grassroots" solution to the problem, it needs to come from regulation. Managers need to serve time in prison,

          No, yes

          Yes, giving these people short (or long, mēh) prison sentences is the only thing that will stop this.

          No, the obvious grassroots response is to not use LinkedIn or Chrome. (You mean developers not consumers, I think. The developers in the trenches should obey if they need their jobs, they are not to blame. It is the evil swine getting the big money and writing the big cheque's...)

      • mrguyorama

        today at 5:01 PM

        I integrate these kinds of systems in order to prevent criminals from being able to use our ecommerce platform to utilize stolen credit cards.

        That involves integrating with tracking providers to best recognize whether a purchase is being made by a bot or not, whether it matches "Normal" signals for that kind of order, and importantly, whether the credit card is being used by the normal tracking identity that uses it.

        Even the GDPR gives us enormous leeway to do literally this, but it requires participating in tracking networks that have what amounts to a total knowledge of purchases and browsing you do on the internet. That's the only way they work at all. And they work very well.

        Is it Ethical?

        It is a huge portion of the reason why ecommerce is possible, and significantly reduces credit card fraud, and in our specific case, drastically limits the ability of a criminal to profit off of stolen credit cards.

        Are people better off from my work? If you do not visit our platforms, you are not tracked by us specifically, but the providers we work with are tracking you all over the web, and definitely not just on ecommerce.

        Should this be allowed?

        • benregenspan

          today at 5:47 PM

          What I'm wondering is if this requires sending the full list of extensions straight to a server (as opposed to a more privacy-protecting approach like generating some type of hash clientside)?

          Based on their privacy policy, it looks like Sift (major anti-fraud vendor) collects only "number of plugins" and "plugins hash". No one can accuse them of collecting the plugins for some dual-use purpose beyond fingerprinting, but LinkedIn has opened themselves up to this based on the specific implementation details described.

          • mrguyorama

            today at 7:25 PM

            The SOP of this entire industry is "Include this javascript link in your tag manager of choice", and it will run whatever javascript it can to collect whatever they want to collect. You then integrate in the back end to investigate the signals they sell you. America has no GDPR or similar law, so your "privacy" never enters the picture. They do not even think about it.

            This includes things like the motion of your mouse pointer, typing events including dwell times, fingerprints. If our providers are scanning the list of extensions you have installed, they aren't sharing that with us. That seems overkill IMO for what they are selling, but their business is spyware so...

            On the backend, we generally get the results and some signals. We do not get the massive pack of data they have collected on you. That is the tracking company's prime asset. They sell you conclusions using that data, though most sell you vague signals and you get to make your own conclusions.

            Frankly, most of these providers work extremely well.

            Sometimes, one of our tracking vendors gets default blackholed by Firefox's anti-tracking policy. I don't know how they manage to "Fix" that but sometimes they do.

            Again, to make that clear, I don't care what you think Firefox's incentives are, they objectively are doing things that reduce how tracked you are, and making it harder for these companies to operate and sell their services. Use Firefox.

            In terms of "Is there a way to do this while preserving privacy?", it requires very strict regulation about who is allowed to collect what. Lots of data should be collected and forwarded to the payment network, who would have sole legal right to collect and use such data, and would be strictly regulated in how they can use such data, and the way payment networks handle fraud might change. That's the only way to maintain strong credit card fraud prevention in ecommerce, privacy, status quo of use for customers, and generally easy to use ecommerce. It would have the added benefit of essentially banning Google's tracking. It would ban "Fraud prevention as a service" though, except as sold by payment networks.

            Is this good? I don't know.

        • michaelt

          today at 6:08 PM

          > Even the GDPR gives us enormous leeway to do literally this, but it requires participating in tracking networks that have what amounts to a total knowledge of purchases and browsing you do on the internet. That's the only way they work at all.

          That data sounds like it would be very valuable.

          But I think if I sell widgets and a prospective customer browsers my site, telling my competitors (via a data broker) that customer is in the market for widgets is not a smart move.

          How do such tracking networks get the cooperation of retailers, when it’s against the retailers interests to have their customers tracked?

          • kevin_thibedeau

            today at 6:33 PM

            They get demographic data on their customers and can use that for marketing and setting prices.

      • orochimaaru

        today at 6:40 PM

        One works for money. And money is important. Ethics isn’t going pay mortgage, send kids to university and all that other stuff. I’m not going to do things that are obviously illegal. But if I get a requirement that needs to be met and then the company legal team is responsible for the outcome.

        In short, you are not going to solve this problem blaming developer ethics. You need regulation. To get the right regulation we need to get rid of PACs and lobbying.

        • IG_Semmelweiss

          today at 7:48 PM

          You are transfering moral agency from yourself, to the government.

          Will you do the same for your kids ? WOuld you let the government decide for you whats right, and what's wrong ?

          • ryandrake

            today at 7:57 PM

            Regulation does not necessarily need to be about deciding what's right and what's wrong. It's about making life better for people. That's supposed to be why we have government. If they are not improving people's lives, why do we even have them? Too many people see the government doing nothing to improve their lives and think there's totally nothing wrong with that.

          • worik

            today at 8:11 PM

            > You are transfering moral agency from yourself, to the government

            That is the deal in a state based society. There are alternatives, but are you ready for Council Communism and it's ilk?

            > WOuld you let the government decide for you whats right, and what's wrong ?

            Yes, in a state based society

            In a state based society fight for democracy and civil rights. Freedom must be defended

    • emacdona

      today at 2:32 PM

      > I think most people would interpret “scanning your computer” as breaking out of the confines the browser and gathering information from the computer itself.

      That is exactly how I interpreted it, and that is why I clicked the link. When I skimmed the article and realized that wasn't the case, I immediately thought "Ugh, clickbait" and came to the HN comments section.

      > To reiterate, at no point am I saying this is good or acceptable. I think there’s a massive privacy problem in the tech industry that needs to be addressed.

      100% Agree.

      So, in summary: what they are doing is awful. Yes, they are collecting a ton of data about you. But, when you post with a headline that makes me think they are scouring my hard drive for data about me... and I realize that's not the case... your credibility suffers.

      Also, I think the article would be better served by pointing out that LinkedIn is BY FAR not the only company doing this...

      • smohare

        today at 7:20 PM

        [dead]

      • lejalv

        today at 3:23 PM

        But LinkedIn is the one social network many people literally cannot escape to put food on the table.

        I don't care about how much spying is going on in ESPN. I can ditch it at the shadow of a suspicion. Not so with LinkedIn.

        This is very alarming, and pretending it's not because everyone else does it sounds disingenuous to me.

        • umanwizard

          today at 7:29 PM

          You can also just browse LinkedIn with a browser that doesn’t have extensions installed, if privacy is that important to you.

          Like everyone else on this thread, I’m not condoning it or saying it’s a good thing, but this post is an exaggeration.

        • franktankbank

          today at 4:13 PM

          That sounds problematic and is only supported by people mindlessly agreeing to it. I know someone who got jobs at google and apple with no linkedin, and he wasn't particularly young. What do you do in the face of it? I say quit entirely. It was an easy decision because I got nothing out of it during the entire time I was on it.

          • lejalv

            today at 8:20 PM

            I have heard people say that LinkedIn was vital to their career.

            For myself, I agree with you: one should quit (and I will)

    • nightpool

      today at 2:57 PM

      > I think most people would interpret “scanning your computer” as breaking out of the confines the browser and gathering information from the computer itself.

      Yes, but I also think that most people would interpret "Getting a full list of all the Chrome extensions you have installed" as a meaningful escape/violation of the browser's privacy sandbox. The fact that there's no getAllExtensions API is deliberate. The fact that you can work around this with scanning for extension IDs is not something most people know about, and the Chrome developers patched it when it became common. So I don't think describing it as something everybody would expect is totally fine and normal for browsers to allow is correct.

      • crazygringo

        today at 7:06 PM

        > Yes, but I also think that most people would interpret "Getting a full list of all the Chrome extensions you have installed" as a meaningful escape/violation of the browser's privacy sandbox.

        I don't think so, because most people understand that extensions necessarily work inside of the sandbox. Accessing your filesystem is a meaningful escape. Accessing extensions means they have identification mechanisms unfortunately exposed inside the sandbox. No escape needed.

        It's extremely unfortunate that the sandbox exposes this in some way.

        Microsoft should be sued, but browsers should also figure out how to mitigate revealing installed extensions.

      • haswell

        today at 3:31 PM

        > I also think that most people would interpret "Getting a full list of all the Chrome extensions you have installed" as a meaningful escape/violation of the browser's privacy sandbox

        I think that’s a far more reasonable framing of the issue.

        > I don't think describing it as something everybody would expect is totally fine and normal for browsers to allow is correct.

        I agree that most people would not expect their extensions to be visible. I agree that browsers shouldn’t allow this. I, and most privacy/security focused people I know have been sounding the alarm about Chrome itself as unsafe if you care about privacy for awhile now.

        This is still a drastically different thing than what the title implies.

    • ksymph

      today at 3:21 PM

      > Alongside thousands of other extensions. If they were scanning for a dozen things and this was one of them, I’d tend to agree with you. But this sounds more like they enumerated known extension IDs for a large number of extensions because getting all installed extensions isn’t possible.

      To take a step back further: what you're saying here is that gathering more data makes it less sinister. The gathering not being targeted is not an excuse for gathering the data in the first place.

      It's likely that the 'naive developer tasked with fingerprinting' scenario is close to the reality of how this happened. But that doesn't change the fact that sensitive data -- associated with real identities -- is now in the hands of MS and a slew of other companies, likely illegally.

      > But the authors have chosen to frame this in language that is hyperbolic and alarmist, and in doing so I thing they’re making people focus on the wrong things and actually obscuring the severity of the problem, which is certainly not limited to LinkedIn.

      The article is not hyperbolizing by exploring the ramifications of this; and it's true that this sort of tracking is going on everywhere, but neither is it alarmist to draw attention to a particularly egregious case. What wrong things does it focus on?

      • haswell

        today at 5:28 PM

        > The gathering not being targeted is not an excuse for gathering the data in the first place.

        I’m not saying it is. My point is that they appear to be trying to accomplish something like getInstalledExcentions(), which is meaningfully different from a small and targeted list like isInstalled([“Indeed.com”, “DailyBibleVerse”, “ADHD Helper”]).

        One could be reasonably interpreted as targeting specific kinds of users. What they’re actually doing to your point looks more like a naive implementation of a fingerprinting strategy that uses installed extensions as one set of indicators.

        Both are problematic. I’m not arguing in favor of invasive fingerprinting. But what one might infer about the intent of one vs. the other is quite different, and I think that matters.

        Here are two paragraphs that illustrate my point:

        > “Microsoft reduces malicious traffic to their websites by employing an anti-bot/anti-abuse system that builds a browser fingerprint consisting of <n> categories of identifiers, including Browser/OS version, installed fonts, screen resolution, installed extensions, etc. and using that fingerprint to ban known offenders. While this approach is effective, it raises major privacy concerns due to the amount of information collected during the fingerprinting process and the risk that this data could be misused to profile users”.

        vs.

        > “Microsoft secretly scans every user’s computer software to determine if they’re a Christian or Muslim, have learning disabilities, are looking for jobs, are working for a competitor, etc.”

        The second paragraph is what the article is effectively communicating, when in reality the first paragraph is almost certainly closer to the truth.

        The implications inherent to the first paragraph are still critical and a discussion should be had about them. Collecting that much data is still a major privacy issue and makes it possible for bad things to happen.

        But I would maintain that it is hyperbole and alarmism to present the information in the form of the second paragraph. And by calling this alarmism I’m not saying there isn’t a valid alarm to raise. But it’s important not to pull the fire alarm when there’s a tornado inbound.

        • eipi10_hn

          today at 6:10 PM

          Calling out the fingerprinting users' extensions is not hyperbolic. Defending that action is.

          • haswell

            today at 7:09 PM

            Calling out the fingerprinting of extensions is appropriate and can be achieved without hyperbole.

            As I’ve stated clearly throughout this thread, the fingerprinting they’re doing is a problem.

            Calling it “searching your computer” is also a problem.

            > Defending that action is

            Nowhere have I defended what LinkedIn is doing.

    • Kuraj

      today at 6:11 PM

      > I think most people would interpret “scanning your computer” as breaking out of the confines the browser and gathering information from the computer itself. If this was happening, the magnitude of the scandal would be hard to overstate.

      But at the end of the day, the browser is likely where your most sensitive data is.

    • globular-toast

      today at 7:04 PM

      > I think most people would interpret “scanning your computer” as breaking out of the confines the browser and gathering information from the computer itself.

      Which they would, if they could.

      They are scanning users' computers to the maximum extent possible.

    • lejalv

      today at 3:20 PM

      > making people focus on the wrong things and actually obscuring the severity of the problem, which is certainly not limited to LinkedIn.

      No, LinkedIN has much more sensitive data already. Combined with which the voracious fingerprinting, this stands out as a particularly dystopian instance of surveillance capitalism

    • franktankbank

      today at 4:11 PM

      > Alongside thousands of other extensions. If they were scanning for a dozen things and this was one of them, I’d tend to agree with you. But this sounds more like they enumerated known extension IDs for a large number of extensions because getting all installed extensions isn’t possible.

      If that's all it takes to fool you then its pretty trivial way to hide your true intentions.

  • afandian

    today at 2:02 PM

    When "the browser is the OS", scanning that is a pretty big chunk of "your computer".

    • chii

      today at 2:05 PM

      but the language of "your computer" implies files on your computer, as it would be what people commonly call it. Merely just the extension is not enough.

      If it has the ability to scan your bookmarks, or visited site history, that would lend more credence to using the term "computer".

      The title ought to have said "linkedIn illegally scans your browser", and that would make clear what is being done without being sensationalist.

      • pqtyw

        today at 2:12 PM

        Extensions are files installed on your computer, though?

        • haswell

          today at 5:48 PM

          So are fonts. But running Window.queryLocalFonts() is not equivalent to “illegally searching your computer”.

          I’m not defending the act of scanning for these extensions, and I’m of the opinion that such an API shouldn’t even exist, but just pointing out that there are perfectly legitimate APIs that reveal information that could be framed as “files installed on your computer” that are clearly not “searching your computer” like the title implies.

        • chii

          today at 2:18 PM

          it doesn't have to be files. it could be in memory on the browser. Extensions don't imply files for anyone but the most technical of conversations. Certainly not to the laymen.

          Having sensationalist titles should be called out at every opportunity.

          • blenderob

            today at 2:59 PM

            > it doesn't have to be files. it could be in memory on the browser.

            How'd that work? If it's in memory, the extensions would vanish everytime I shutdown Chrome? I'll have to reinstall all my extensions again everytime I restart Chrome?

            Have you seen any browser that keeps extension in memory? Where they ask the user to reinstall their extensions everytime they start the browser?

        • voganmother42

          today at 5:02 PM

          Reminds me of https://xkcd.com/1200/

          • Dylan16807

            today at 6:12 PM

            But it's not getting access to real user data, just a partial list of things that are installed.

      • blenderob

        today at 2:09 PM

        > but the language of "your computer" implies files on your computer, as it would be what people commonly call it. Merely just the extension is not enough.

        But the language of "your computer" also implies software on your computer including but not limited to Chrome extensions.

        • ImPostingOnHN

          today at 3:18 PM

          It implies more than just the browser, which is likely why it was used for the post title. If it is exclusively limited to the browser, then "scans your browser" is more correct, and doesn't mislead the reader into thinking something is happening which isn't commonplace on the internet.

      • justonceokay

        today at 2:50 PM

        Are you defending LinkedIn’s behavior right now or are you just happy to be more technically correct (the best kind of correct!) than those around you? Trying to understand the angle

        • compiler-guy

          today at 3:34 PM

          Something may be bad, but accurately describing why it is bad significantly elevates the discourse.

          Eg, someone could use the phrase "Won't someone think of the children?" to describe a legitimately bad thing like bank fraud, but the solutions that flow from the problem that "children are in danger" are significantly different from the solutions that flow from "phishing attacks are rampant".

          The two issues in this case aren't quite as different as child-endangerment and bank fraud. But if the problem was as the original title describes, the solution is quite different (better sandboxing) than what the actual solution is. Which I don't know, but better sandboxing ain't it.

          • justonceokay

            today at 3:42 PM

            So technically correct. Got it

            • ImPostingOnHN

              today at 4:01 PM

              attacking people for having more nuance and accuracy than you have is how polarization and tribal epistemology happens

              'ignore the facts! ENEMY!!!' generally doesn't end well for anybody

              • cindyllm

                today at 4:04 PM

                [dead]

        • ImPostingOnHN

          today at 3:16 PM

          The browser fingerprinting described is ubiquitous on the internet, used by players large and small. There are even libraries to do this.

          Like OP, I don't consider behavior confined to the browser to be my computer. "Scans your browser" is both technically correct and less misleading. "Scans your computer" was chosen instead, to get more clicks.

    • latkin

      today at 2:16 PM

      And I spend a lot of my time at home on my computer. The article should have said LinkedIn is searching my house.

    • autoexec

      today at 5:24 PM

      It looks like it's also gathering info on your OS and graphics card which seems very much "your computer"

    • taneq

      today at 2:06 PM

      This is just the next iteration of the issues with Linux file permissions, where the original threat model was “the computer is used by many users who need protection from each other”, and which no longer makes much sense in a world of “the computer is used by one or more users who need protection from each other and also from the huge amounts of potentially malicious remote code they constantly execute”.

  • m-schuetz

    today at 4:55 PM

    Scanning your computer is an entirely different thing than scanning browser extensions. By maximizing the expectation via "Illegally searching your computer", the truth suddenly appears harmless.

    • islandfox100

      today at 6:16 PM

      Where do browser extensions exist? I've got a dreadful feeling they might be on my computer.

      • fsckboy

        today at 7:43 PM

        >Where do browser extensions exist? I've got a dreadful feeling they might be on my computer.

        all of the browser extensions I'm aware of are on planet earth, so i guess you'd have it linkedin is searching the planet for your browser extensions?

  • 1shooner

    today at 2:19 PM

    >Calling the title misleading because they didn't breach the browser sandbox is wrong

    By this logic we could also say that LinkedIn scans your home network.

    • andersonpico

      today at 2:55 PM

      Websites could scan your local network covertly up until a few years ago; now it requires explicit permission (like notifications, location, etc)

  • amw-zero

    today at 5:56 PM

    It 100% implies that it's looking for locally installed binaries.

  • leptons

    today at 6:55 PM

    >How is probing your browser for installed extensions not "scanning your computer"?

    The same way taking a photo of a house from the street is not the same as investigating the contents of your pantry.

  • TZubiri

    today at 7:00 PM

    Because "scanning your computer" technically could include scanning plugins, but it could also include scanning your files, your network or your operating system.

    While "scanning your browser" would be more accurate and would exclude the interpretation that it scans your files.

    The reason the latter is not used is that, even though more precise and more communicative, it would get less clicks.

  • j45

    today at 2:13 PM

    There are rules and laws about fingerprinting too, I thought.

    • moffkalast

      today at 3:53 PM

      Lol, lmao even. Lawmakers are banning privacy as fast as they can, this kind of personally identifiable stuff is perfectly aligned with their end goals.

      Checking for extensions is barely anything when you consider the amount of system data a browser exposes in various APIs, and you can identify someone just by checking what's supported by their hardware, their screen res, what quirks the rendering pipeline has, etc. It's borderline trivial and impossible to avoid if you want a working browser, and if you don't the likes of Anubis will block you from every site cause they'll think you're a VM running scraper bot.

  • injidup

    today at 2:10 PM

    In the same way that scanning and identifying your microwave for food you put inside it is not the same as scanning your house and reading the letters in your postbox.

    Your browser is a subset of your computer and lives inside a sandbox. Breaching that sandbox is certainly a much more interesting topic than breaking GDPR by browser fingerprinting.

• gettingoverit

  today at 8:08 PM

  Well, that's precisely what is sinister here.

  Those profiling tools don't really care which features are going to be used for predictions. It's just machine learning, and it's indiscriminate. So if you have an extension that correlates with you being Muslim, it will be used for whatever ML predictions they give to other companies, and the worst case will be another "oh we didn't do this intentionally".

  Of course, that's not the first time this ever happened in human history, so even if it's not "something inherently sinister", it's just "criminal negligence".

• al_borland

  today at 1:48 PM

  > I’ve come to mostly expect this behavior from most websites that run advertising code and this is why I run ad blockers.

  Expecting and accepting this kind of thing is why everyone feels the need to run an ad-blocker.

  An ad-blocker also isn’t full protection. It’s a cat and mouse game. Novel ideas on how to extract information about you, and influence behavior, will never be handled by ad-blockers until it becomes known. And even then, it’s a question of if it’s worth the dev time for the maker of the ad-blocker you happen to be using and if that filter list gets enabled… and how much of the web enabling it breaks.

  • haswell

    today at 1:54 PM

    To be clear, expecting != accepting.

    The point was more that the headline frames this as some major revelation about LinkedIn, while the reality is that we’re getting probed and profiled by far more sites than most people realize.

  • echelon

    today at 6:27 PM

    LinkedIn's whole business model is gatekeeping their database.

    They're scanning your extensions to make sure you aren't using third party tools to scrape LinkedIn.

    It's stupid, but they're trying to stop people from making money on LinkedIn when they feel like they're the only ones that should be able to do that.

    • gausswho

      today at 7:04 PM

      Has anyone published useful parts of their database? It'd be kinda nice to use a rolodex that wasn't slimed with the rest of LI's taint.

  • armchairhacker

    today at 2:20 PM

    Regulation is also a cat-and-mouse game. Life is a cat-and-mouse game.

    • nanocat

      today at 2:33 PM

      [flagged]

• btown

  today at 8:00 PM

  For what it's worth - and I'm not saying that LinkedIn is doing this for the right reasons - I can imagine a frontend QA team wanting to do this to understand how prominent certain extensions are for users of various parts of their product, correlating those extensions against frontend bug reports, and using that to guide QA procedures with real-world extension sets.

  When you're literally the company that invented Kafka for your clickstreams, "everything looks like a nail."

  (More likely, though, this is an anti-scraping initiative, since headless browsers are unlikely to randomize their use of extensions, and they can use this to identify potential scrapers.)

• lastofthemojito

  today at 2:12 PM

  > this is why I run ad blockers.

  It's pretty wild that we live in a world where the actual FBI has recommended we use ad blockers to protect ourselves, and if everyone actually listened, much of the Internet (and economy) as we know it would disappear. The FBI is like "you should protect yourself from the way that the third largest company in the world does business", and the average person's response is "nah, that would take at least a couple of minutes of my time, I'll just go ahead and continue to suffer with invasive ads and make sure $GOOG keeps going up".

  • integralid

    today at 4:07 PM

    >the average person's response is "nah, that would take at least a couple of minutes of my time,

    As a data point I, a technical person who tweaks his computer a lot, was against adblocking for moral reasons (as a part of perceived social contract, where internet is free because of ads). Only later I changed mi mind on this because I became more privacy aware.

    • ronsor

      today at 4:50 PM

      The social contract was "your ads aren't annoying or invasive, and don't waste my time, so I earn you some money"

      But ads are all of those things now, so I feel no obligation. I only got an ad blocker around the time ads were becoming excessively irritating.

      • macNchz

        today at 5:16 PM

        Beyond just invasive/annoying, ad networks explicitly spread malware and scams/fraud. There's not much incentive for them to clamp down on it, though, as that would cost them money both in lost revenue and in paying for more thorough review.

        • cogman10

          today at 8:06 PM

          It'd not even be hard for them to stop it, but they just had to be annoying instead.

          When I first started out on the internet, ads were banners. Literally just images and a link that you could click on to go see some product. That was just fine.

          However, that wasn't good enough for advertisers. They needed animations, they needed sounds, they needed popups, they needed some way to stop the user from just skimming past and ignoring the ad. They wanted an assurance that the user was staring at their ad for a minimum amount of time.

          And, to get all those awful annoying capabilities, they needed the ability to run code in the browser. And that is what has opened the floodgate of malware in advertisement.

          Take away the ability for ads to be bundled with some executable and they become fine again. Turn them back into just images, even gifs, and all the sudden I'd be much more amenable to leaving my ad blocker off.

      • throwawayqqq11

        today at 5:29 PM

        Figure this: You could plaster a page with the most obtrusive ads imaginable without ever showing a cookie banner, when they collect no private info.

        Most people, including folks on here, think cookie banners are a problem, but they are just an annoying attempt to phish your agreement. As long as these privacy loopholes exist, we will keep hearing such stories even from large corporations with much to loose, which means the current privacy regulations do not go far enough.

      • michaelt

        today at 6:17 PM

        > The social contract was "your ads aren't annoying or invasive

        Even back in the 1990s the internet was awash with popups, popunders and animated punch-the-monkey banner ads. And with the speed of dial up, hefty images slows down page loads too.

        You must be a true Internet veteran if you remember a time ads weren’t annoying!

      • leptons

        today at 7:01 PM

        I remember how I felt the first time I saw an ad come across my browser, it seems so long ago - I guess it was more than a quarter century ago now. I knew it was going to be downhill from there, and it has been.

    • bookofjoe

      today at 5:40 PM

      The average person — that would be me — thinks "nah, I have no idea how to install an ad blocker or how one works, and I'm afraid I'll screw up my computer."

    • whynotmaybe

      today at 4:17 PM

      Duckduckgo is free and with ads.

    • ACow_Adonis

      today at 4:27 PM

      You mean the internet you pay to access and which was around before the ads were even on it? That internet?

      I'm not trying to be mean I'm just trying to historically parse your sentence/belief.

      Because for me this is a simplified analogy of what happened on the internet:

      a) we opened a club house called the internet in the early 1990s, just after the time of BBSs

      b) a few years later a new guy called commercial business turned up and started using our club house and fucking around with our stuff

      c) commercial business started going around our club house rearranging the furniture and putting graffiti everywhere saying the internet is here and free because of it. We're pretty sure it might have even pissed in the hallway rather than use the toilet and the whole place is smelling awful.

      d) the rest of us started breaking out the scrubbing brushes and mops (ad blockers, extensions, VPNs, etc) trying to clean up after it

      e) some of its friends turned up and started repeating something about social contracts and how business and ads built this internet place

      f) the rest of us keep crying into our hands just trying to meet up, break out the slop buckets to clean up the vomit in the kitchen and some of us now have to wear gloves and condoms just to share things with our friends and stop the whole place collapsing

      • pixl97

        today at 4:50 PM

        Ya, back when 'we' were fucking around on BBS's there was the equivalent of 10 people online at the time.

        Quantity is a quality in itself. Your BBS was never going to support a million users. Once people figured out the network effect it was over for the masses. They went where the people are, and we've all suffered since.

      • chasd00

        today at 4:45 PM

        > a) we opened a club house called the internet in the early 1990s, just after the time of BBSs

        "we" is doing a lot of work here. No clubhouse got optical switching working and all that fiber in the ground for example. Beyond POC, the Internet was all commercial interests.

        • mech422

          today at 5:44 PM

          "we" paid ISP's ... which in turn, paid for infrastructure. Some of "we" pay cable providers for internet service, which in turn paid for (in my case) fiber-to-the-curb. Advertising basically supported social media, search engines, etc.

        • kibwen

          today at 4:48 PM

          No. The internet was not a commercial enterprise, it was first and foremost a military enterprise, just like GPS.

          • JumpCrisscross

            today at 5:15 PM

            > it was first and foremost a military enterprise, just like GPS

            This is sort of like arguing cutlery is a military enterprise. Like yes, that’s where knives came from. But that’s disconnected enough from modern design, governance and other fundamental concerns as to be irrelevant. The internet—and less ambiguously, the World Wide Web—are more commercial than military.

            • kibwen

              today at 5:36 PM

              This is moving the goalposts. The commenter above is talking about the enthusiast-populated internet of the late 80s/early 90s, at which point it still wasn't even clear if it was legal to use the internet for commercial purposes. If all you mean to say is that the internet is currently commercialized, yes, that is obviously true, in much the same way that a disgusting ball of decomposing fungus may have once been an apple.

              • JumpCrisscross

                today at 5:38 PM

                > commenter above is talking about the enthusiast-populated internet of the late 80s/early 90s, at which point it still wasn't even clear if it was legal to use the internet for commercial purposes

                Source? Not doubting. But I have a friend who was buying airline tickets through CompuServe in the late 80s/early 90s.

      • jmuguy

        today at 4:49 PM

        This is ignoring things like newspapers that were made obsolete by the internet. At some point someone does need to actually pay for the content we see online. That is if we want that content to actually be good.

      • fl4regun

        today at 5:54 PM

        not sure why you're talking about "commercial business" being the one inserting ads everywhere when even niche community run forums from the 2000s also had ads to help pay for their server costs. At the end of the day all this costs money. Whether its paid by ads or direct subscriptions. IMO the problem is more about concentration and centralization of the internet into a handful of sites than advertising.

      • brokencode

        today at 4:43 PM

        I mean yeah, you pay for the internet. But many sites are free to use only due to ads.

        Such as news and magazine sites, many of which are actively dying due to a lack of revenue.

        I personally wish these sites could all switch to paid models, because I also don’t like ads.

        But absent that, I’d like to support the sites I use so that they don’t go out of business.

        • bookofjoe

          today at 5:43 PM

          I have expensive online subscriptions to New York Times, Wall Street Journal, and Washington Post. Nevertheless they are FILLED with ads/popups/videos that run automatically/dark patterns. Just saying: there's no refuge.

          • brokencode

            today at 7:19 PM

            True, but that doesn’t invalidate what I said about the vast majority of sites that aren’t globally known, prestigious news companies that people are willing to pay an expensive subscription for.

            Most publishers of content online are ad supported and struggling, and I want to make sure I’m contributing to their revenue somehow.

            I don’t feel bad about blocking ads on sites I pay for though.

          • fl4regun

            today at 5:55 PM

            here's an idea: don't use those sites.

  • xboxnolifes

    today at 4:03 PM

    The crazier part is that its an official government position, and we (people at large / the government) aren't immediately slapping down the actions of these companies.

  • nickvec

    today at 2:41 PM

    Majority of people use their mobile devices these days to browse the Internet. Installing an ad blocker on your iPhone is a significantly bigger challenge than on desktop.

    • lemoncookiechip

      today at 2:54 PM

      Use Firefox/Fennec which allow you to install a variety of the add-ons you can install on the desktop version such as UBO, Stylus, ViolentMonkey, Bitwarden, SponsorBlock, etc... or install Brave which comes with adblock by default. As for iPhone, you can install Brave which has adblock, I don't think Firefox has add-ons in that version though, not sure.

      • dobs_bob

        today at 4:00 PM

        Isn't Brave backed by Peter Thiel? That alone would make me not trust it but they also have baked in crypto and other weird stuff.

        • MidnightRider39

          today at 5:35 PM

          Here is a handy list of things that Thiel invested in

          PayPal, Spotify, Stripe, LinkedIn, Airbnb, Facebook, ResearchGate, Flexport, Nubank, Rippling, Asana, Luft, Tesla, Microsoft, Apple, SpaceX

          You can’t trust anything these days!

    • Rychard

      today at 2:44 PM

      Firefox on Android supports it without any issue. That would cover a significant enough segment of the population that it might encourage actual change in the industry if people started moving to that platform.

      • Xirdus

        today at 3:04 PM

        Firefox on Android has approximately 0.5% market share on mobile, less than Opera. I really doubt it's enough to spark any sort of industry-wide change.

        • Rychard

          today at 3:11 PM

          I'm not saying that Firefox on Android has significant market share; rather that Android has significant market share, and those users could be served by switching to Firefox solely for the purpose of using an adblocker.

          If all Android users did this, something would change.

        • Forgeties79

          today at 3:33 PM

          The point is it’s easy. It’s near frictionless. Unlike a lot of pie in the sky statements I see here like how “easy” it is to install and run Linux (it isn’t), Firefox adoption is truly trivial for any smartphone user and presents a stronger baseline than chrome does. People here often get critical of Firefox/Mozilla, and I totally get it, but compared to Google Chrome it doesn’t, well, compare.

          Firefox runs great 99.99% of the time. It’s easy to add extensions. So we should be pushing people to adopt it.

    • SirHumphrey

      today at 2:45 PM

      It’s becoming easier on iPhone (even uBlock origini is now available, if only the lite version), which is nice because internet is becoming more and more unusable without them.

    • Fwirt

      today at 5:40 PM

      AdGuard installs through the App Store and integrates seamlessly with Safari. It's not as perfect as some of the desktop class adblockers, but it's free and can be up and running in a couple minutes.

      If you're on Android, Firefox supports many full desktop extensions, including uBlock Origin.

    • jshier

      today at 3:14 PM

      There have been mobile Safari ad blockers for 10 years now, free or paid, and many of them can now be unified with desktop Safari. Many alternative iOS browsers include ad blocking directly, since they can't use the Safari plugins (despite all being powered by WebKit).

    • treetalker

      today at 2:48 PM

      1Blocker has been great for me and includes blocking of many/most (almost all?) in-app trackers too.

    • juliangmp

      today at 3:10 PM

      Can't speak for IOS but for android users I highly recommend Firefox for android, since you can install ublock origin within it. Let's be real, browsing the modern internet is downright impossible without it today.

    • lII1lIlI11ll

      today at 4:49 PM

      How is installing uBlock Origin Lite on iPhone a big challenge? Installing it on my SO's device was quite trivial.

      • fsflover

        today at 5:27 PM

        Lite doesn't actually protect you.

    • pants2

      today at 2:46 PM

      Not really - I use Brave browser on iPhone, a simple app install, and it blocks ads extremely well, even on YouTube and Instagram.

    • registeredcorn

      today at 3:25 PM

      Brave has served me well in this regard. I don't even get ads on YouTube on mobile.

    • iso1631

      today at 3:13 PM

      My pihole does a good enough job with phones. I know google wants to close this (hence pushing things like DoH)

      Last time I tried firefox on the iphone it was rubbish compared with safari. Same with some ad blocking app I had back in the day

    • streetfighter64

      today at 2:46 PM

      Not anymore. You can just find one on the app store and install it, almost exactly the same as you do in a browser's extension "store". It won't be as good as uBlock but it certainly works fine even in Safari.

      • nickvec

        today at 2:47 PM

        Which do you use? I was unaware that Apple even let such apps on the App Store. I always assumed that their ToS would strictly prohibit it.

        • Fwirt

          today at 5:41 PM

          AdGuard has never given me any trouble.

        • pyreko

          today at 2:53 PM

          ublock origin lite is straight up on the app store now, should work with any moderately recent version of iOS/iPadOS. Installed this on my family's Apple devices and it works pretty well.

          There's also been other adblock apps for a long while, though (adguard comes to mind).

        • financetechbro

          today at 2:51 PM

          uBlock Origin Lite works great for me

  • surajrmal

    today at 2:51 PM

    Don't worry, soon you'll need to pay every website 5.99 a month because AI is destroying click through rates. The internet will likely be far worse without ads than with ads. Solving the tracking problem doesn't need to be mixed up with blocking ads outright. What's funny is that tracking isn't nearly as meaningful for click through rates on ads as relevance to what's on the page, and yet so much effort is placed onto tracking for the slim improvement it provides.

    • array_key_first

      today at 3:11 PM

      It would not be 5.99 to access a website because that's not what it costs and that's not what ads yield.

      I think people think ads give way, way more money than they actually do. If you're visiting a website with mostly static ads then you're generating fractions of a cent in revenue for that website. Even on YouTube, you're generating mere cents of revenue across all your watch time for the month.

      Why does YouTube premium cost, like, 19 dollars a month then? I don't know, your guess is as good as mine.

      Point is, you wouldn't be paying 5.99. You could probably pay a dollar or two across ALL the websites you visit and you'd actually be giving them more money than you do today.

      • kbelder

        today at 3:20 PM

        But there's no method or structure in place to pay a website a fraction of a cent. Ads are the only way we've found that actually implements a form of microtransactions... paying a tenth of a penny for a sliver of attention.

        I don't want to defend ads, but whatever replaces them is going to be very disruptive. Maybe better, but very different.

        • FloorEgg

          today at 3:50 PM

          In 2023 I did a deep dive into the crypto community with two main questions:

          - do these people understand the principles of making good products?

          - is anyone clearly working towards a microtransaction system that could replace advertising and subscription models?

          After attending two conferences, hundreds of conversations and hours spent researching, my conclusion to both questions was no. The community felt more like an ouroboros. It was disappointing.

          I don't want to pay NYT a subscription fee, I want to pay them some fraction of a cent per paragraph of article that I load in. Same goes for seconds of video on YouTube, etc.

          Apparently I'm alone in this vision, or at least very rare...

          • order-matters

            today at 4:29 PM

            I have also done similar research because I wanted to build something to handle microtransactions on a personal website that could scale if adopted to be usable by everyone if they wanted.

            I looked at crypto currency because it seems like the obvious naive solution. it doesnt work. the cost of the transaction itself far outweighs the value of the transaction when dealing with fractions of a cent. you want an entire network to be updating ledgers with ~millions of records per ~$1000 moved. the fundamental tech of crypto leans towards slower, higher value transactions than high volume, small transactions. Lots of efforts have been made with some coins to bring down the bar of "high value, low volume" to meet everyday consumer usage rates and values - but a transaction history at the scale of every ad impression for every person is a tough ask and would perpetually be in an uphill battle against energy costs.

            Ultimately, the conclusion I came to is that the service would need to be centralized, and likely treated as cash by not keeping track of history. Centralized company creates "web credits", user spends $5 for 10,000 credits, these credits are consumed when they visit websites. Websites collect a few credits from each user, and cash out with the centralized company. The issue is that since it would cost more to track and store all the transactions than the value of the transactions themselves, you have to fully trust the company to properly manage the balances.

            I started building it and since I would be handling, exchanging, and storing real currency - it seemed subject to a lot of regulations. It is like a combination bank and casino.

            i've thought about finishing the project and using disclaimers that buying credits legally owes the user nothing, and collecting credits legally owes the websites nothing, and operating on a trust system - but any smart person would see the potential for a rug pull on that and i figured there would not be much interest.

            The alternative route of adhering to all the banking regulations to get the proper insurances needed to make the commitments necessary to users and websites to guarantee exchange between credits and $ seemed like too much for 1 person to take on as a side project for free

            • Dylan16807

              today at 6:44 PM

              It would need to be mostly centralized, but keeping track of history would not be hard.

              A typical credit is getting paid in, transacted once, and cashed out. And a transaction with a user ID, destination ID, and timestamp only needs 16 bytes to store. So if you want to track every hundredth of a penny individually, then processing a million dollars generates 0.16 terabytes of data. You want to keep that around for five years? Okay, that's around $100 in cost. If you're taking a 1% fee then the storage cost is 1% of your fee.

              If your credits are worth 1/20th of a penny, and you store history for 18 months, then that drops the amount of data 17x.

              (And any criticisms of these numbers based on database overhead get countered by the fact that you would not store a 10 credit transaction as 10 separate database entries.)

          • mistrial9

            today at 3:59 PM

            you are not alone, people seriously proposed one thing after another in the early 2000s.. same time frame as RSS, roughly. Somehow, these proposals were undermined and slow-walked? merger and acquisition in Silicon Valley was aligned with very different things

        • vannevar

          today at 3:46 PM

          >"Ads are the only way we've found that actually implements a form of microtransactions... paying a tenth of a penny for a sliver of attention."

          Ads were the path of least resistance, and once entrenched, they effectively prevented any alternative from emerging. Now that we've seen how advertising scales, and how it's ruined our mediascape, we're finally looking at alternatives. Not dissimilar to how we reacted to pollution, once we saw it at scale.

        • zadikian

          today at 3:48 PM

          Microtransactions have been done in various ways, in fact the word refers to those more than a hypothetical.

      • mlinsey

        today at 4:56 PM

        YouTube had an estimated $40 billion in ad revenue in 2025: https://techcrunch.com/2026/03/10/youtube-surpasses-disney-p...

        And has roughly 2.7 billion monthly active users. This means the average YouTube user brings in around $1.23 per month. When you consider that CPM's can easily swing by 20X based on how wealthy the user demographic is, and willingness to pay a subscription is a strong signal for purchasing power, I would not be at all subscribed if a YouTube premium subscription was revenue-neutral for Google.

      • gfody

        today at 3:28 PM

        I believe this and it makes a web 3.0 solution seem viable if only we could escape the collective action trap

      • abustamam

        today at 3:19 PM

        This may be a hot take but I'd be willing to pay my ISP $10 extra that they would distribute to sites I visit, if it meant zero tracking and ads. I use an ad blocker but I genuinely want to support content creators in a way that doesn't optimize for ads or clicks.

        There would need to be a way for ISPs to know which websites are getting my traffic in order to know who to distribute the money to, which I'm not a fan of. But I think something along those lines, with anonymized traffic data, would work a treat.

        • dotancohen

          today at 3:24 PM

            > distribute to sites I visit, if it meant zero tracking
          

          How would your ISP know to which sites to distribute the money, if there were no tracking?

          • wing-_-nuts

            today at 4:06 PM

            Oh ISPs are definitely collecting your browsing habits, and selling them to the highest bidder. It's one of the major reasons why I use a vpn.

            • lukechu10

              today at 5:07 PM

              Well what makes you think the VPN providers are not tracking?

              You would have to either self-host your own VPN server somewhere (maybe on a public cloud provider) or if you are truly paranoid, use something like Tor.

          • today at 4:04 PM

        • saghm

          today at 3:34 PM

          > This may be a hot take but I'd be willing to pay my ISP $10 extra that they would distribute to sites I visit, if it meant zero tracking and ads. I use an ad blocker but I genuinely want to support content creators in a way that doesn't optimize for ads or clicks.

          The problem is that both the ISP and the websites would then go "Cool, we're getting $10 a month from them!" for about a minute before they started trying to come up with ways to start showing you ads anyways. With the level of customer appreciation ISPs tend to show, I'm sure they'd have no problem ignoring your complaints and would happily revoke your service if you stopped paying the now $10-higher price per month.

        • Terretta

          today at 4:35 PM

          content creator is new speak

          people with something to share, people with something to say, who share and say it because they want to

          that's how pamphleteers worked, that's how the Internet worked

          at scale, static (CMS-managed) information sites cost effectively nothing even for arbitrary amounts of traffic, and smoothed across a range of people sharing stuff, it approaches zero per person

          publishing used to be free with your ISP, and edge CDN used to be (and still is) free to a point (an incredibly high volume point) as well

          having people pay something nominal to say things instead of pay far too much in attention-distraction or money to consume things, would put this all back the right way round

          • totallymike

            today at 5:08 PM

            I couldn’t disagree with this more if I tried. The biggest benefit of the internet is to make it easier to talk to each other and share ideas. Putting financial gates in front of that ability is hot garbage.

            Also, I agree that the platforms and paradigms we have are fucked up, but do believe that people who put work into making something deserve to charge for it if there are folks who’d pay.

        • CamperBob2

          today at 3:32 PM

          The ISP shouldn't necessarily be involved in this process, but some form of syndication does need to happen, and it seems crazy that it hasn't.

          The closest we've come is something like Apple News, which allows me to pay for a selected (by them, not me) subset of features on a selected (by them, not me) subset of news sites. Can't somebody do this right?

          • Terretta

            today at 4:36 PM

            Texture was incredible.

            Apple News remained fantastic until renewal of agreements when publishers demanded rights to insert additional ads.

            Apple can't not have premium sources in there, so...

    • mrkeen

      today at 3:25 PM

      No company would treat it as either-or.

      If websites could charge 5.99/month, they would.

      If a website was charging 5.99/month, they would not stop spying on you.

    • zadikian

      today at 3:49 PM

      This sounds possibly better. Aligns the interest of the website more with the users.

      Ads are a weird game. People say you're ripping off the website if you adblock, but aren't you ripping off the advertiser if you don't buy the product? If I leave YouTube music playing on a muted PC, someone is losing.

    • DebtDeflation

      today at 3:09 PM

      >The internet will likely be far worse without ads than with ads.

      Ads won't go away. They'll just move from infesting websites to infesting AI chatbots.

      • autoexec

        today at 4:48 PM

        That'd be ideal because it would mean I could browse the internet without ads and just never use AI chatbots. Unfortunately I think ads are only going to spread and what we'll actually end up with is "more ads everywhere".

    • eipi10_hn

      today at 5:59 PM

      I'm happy to see that day. I'm already paying for stuff I need in life. There's no reasons to insist on not paying for the stuff I need in the web. Just kill those spywares stealing my personal actions and information.

    • ozgrakkurt

      today at 3:16 PM

      > The internet will likely be far worse without ads than with ads

      This is highly debateable. I wouldn't mind paying a bit for the websites I am using as there are just a few platforms and some blogs that I would be happy to pay a small amount for.

    • tombert

      today at 3:10 PM

      I don’t think it would necessarily have to be six bucks a month.

      Something Awful is a one time fee of ten bucks (a few bucks more to get rid of ads).

      I wouldn’t really mind a one-time fee for a lot of sites if it meant that they didn’t have to do a bunch of advertising bullshit,

      • flax

        today at 3:43 PM

        Yes, but the Awful registration fee is more like a speedbump to make banned behavior at least a little expensive to the offending users. Most of the revenue comes from completely optional aesthetic purchases: avatars, avatars _for others_, smilies, etc. I suspect it's a whale based economy.

        • tombert

          today at 4:43 PM

          True, I think it was more sort of a natural filter than explicitly revenue for the website.

          Still, I would be willing to pay a bit more for a website that I actually like if it's a one-time fee; I actually paid for the "Platinum" membership for Something Awful so that I would have access to search, and a custom icon, so I think the total damage was around $30.

          Dunno, I guess I just feel like people will pay for things if those things don't suck. I think the fact that the only way that companies can really compete for people's time is giving it away for free [1] is a testament that most stuff on the internet is actually kind of shit.

          [1] yeah I know something something you are the product something something.

          ETA: I hate self-promotion but a friend of mine told me I should mention that I did write a blog post talking about this very specific example: https://blog.tombert.com/Posts/Personal/2026/02-February/Peo...

        • IAmBroom

          today at 4:47 PM

          > whale based economy

          Please explain this term. Google was not useful.

          • pixl97

            today at 4:56 PM

            Also look up K shaped economies at the same time and you get a better answer.

            But the gist of it is, companies do free to play systems that support themselves by a very small portion of their user base spending a very large amount of money. The free/low paying users find themselves with poor/no service as the companies do anything to attract more whales.

            K based economies are somewhat related as you see a very small portion of the participants in an economy make a huge amount of money while everyone else gets poor.

          • autoexec

            today at 4:56 PM

            Whales are the tiny percentage of users who spend large amounts of actual money on bullshit non-products offered by mobile apps and online platforms. AKA suckers.

    • b112

      today at 2:54 PM

      internet will likely be far worse without ads than with ads

      Not sure on that. It was far, far better before what drives ads today. I've gotten more value from random people's static HTML pages in 1999, than I ever have from something in the last 25 years.

      This just led me to think of news sites, and how they've turned mostly into click-bait farms in the last decade to 15.

      Gives me pause. Didn't the king of "doing it online" buy a newspaper, but the end result wasn't an improvement on its fate? If there is any way to make cash from news, shouldn't Bezos have been able to do it??

      • OhMeadhbh

        today at 3:08 PM

        I would love to get something more akin to a monthly print issue of BYTE, Omni, Starlog, Reality Hackers, WIRED and Dr Dobbs Journal without blinky, shouty ads that cause the content to re-render every 10 seconds.

        I would pay money for that.

        • b112

          today at 3:19 PM

          E-ink is getting cheaper and cheaper, there's a lot of 6" screen devices for $100. If it dropped to $100 for a 11" screen, that would be a respectable size for a magazine. I cite eink as most are distraction free, or can be, and are very easy on the eyes.

          Such content would also suck with flashy ads too.

          It's pretty easy tech I think, it's just never hit a flash point. But it could.

          • mrguyorama

            today at 4:15 PM

            You miss the point.

            We literally had all of this. We had regular, affordable, high quality printed media for every hobby and interest and industry, that you could get delivered to your home address and collect in your own archive if you want, and your local library could do the same.

            Those pieces of paper could not track anything about you. They tried, selling their subscriber lists, but that was the best tracking they could provide! You could easily ignore ads, and in return they had to make ads interesting enough in various ways that you might look at them anyway, or they had to make their ads directed at people who went looking for whatever you were selling.

            It was an objectively better system in every way.

            The Sears catalog was worlds better than Amazon. You weren't going to buy a fraudulent item for one.

            Tech is a failure. It has made so much worse. It has only served to allow businesses to cut costs while extracting money from every single local community that used to allow such cash to circulate locally.

            We should ban all internet advertising.

            • OhMeadhbh

              today at 7:41 PM

              I might recomment a middle ground before banning all internet advertising.

              What if we limited advertising to images which don't set tracking cookies, so you would get something sort of like banner headlines. Maybe say the image had to be served from the same place as the rest of the content so you don't get to track readers with image trackers

            • throwawayq3423

              today at 4:36 PM

              You make the argument from the consumer side, it's hard to argue, but digital systems are far more profitable. So that's how we got the world we got.

              • autoexec

                today at 5:09 PM

                It turns out that "makes the most money for a small amount of people" is pretty much the same as "makes everything shitty for everyone else". It's time that we either stop accepting "most profitable" as an excuse for making things worse or start regulating/punishing bad behavior until it becomes so costly that it's no longer profitable.

              • fl4regun

                today at 6:11 PM

                Your response comes packaged with a pill that I believe many people would not swallow: If it makes more profit then we should do it.

      • rchaud

        today at 3:54 PM

        > If there is any way to make cash from news, shouldn't Bezos have been able to do it??

        News only made money when the newspapers could leverage their circulation numbers to run their own ads network. The classifieds section was a money machine. I remember full-page ads in the Washington Post from local car dealerships showing every model they were selling. They likely ran different ads for distribution in other regions, probably 10Xing their money. Google and Facebook killed that.

        What Bezos bought was a corpse of a business, but one with strong journalistic credibility known for historic investigative analyses such as the Watergate cover-up that earned public goodwill. He was buying that goodwill and slowly asphyxiating it to align with his own interests.

        • ConceptJunkie

          today at 4:50 PM

          By the time Bezos bought the Post, most of that goodwill had evaporated, and since then, almost all of it has.

    • KellyCriterion

      today at 3:20 PM

      yes, Google AdSense was like the cambrian explosion allowing tons of businesses to get traction in the early days.

      There is a story of this PlentyOfFish founder (who exited to Match.com for 500m cash) that in the beginning he got 3-4 USD per click

    • toomuchtodo

      today at 2:53 PM

      I would rather pay people and websites for content. I already do this today for journalism orgs and a handful of high value substacks, I'm happy to pay for more. I'd pay for HN. Free does not scale (with the caveat being orgs like Wikipedia, the Internet Archive, and others who have an endowment behind them and can self fund alongside donations; this, of course, is a model others can adopt), people need to eat, pay for rent, etc, and ads are ineffective when everyone can block them.

      Ads are a symptom of the problem that people want human generated content for free; they either do not value the content enough to pay for it, or cannot afford it. Ads do not solve for those problems.

      • II2II

        today at 3:21 PM

        > Free does not scale

        No disagreement there, except the early web was not about scale. The sites you visited may have been created by someone as a hobby, a university professor outlining their courses or research, a government funded organization opening up their resources to the public, a non-profit organization providing information to the public or other professionals, or companies providing information and support for their products (in the way they rarely do today).

        > people need to eat, pay for rent

        Those people were either creating small sites in their spare time, or were paid to work on larger sites by their employer.

        There were undoubtedly gaps in the non-commercial web. On the other hand, I'm not sure that commercializing the web filled those gaps. If anything, it is so "loud" that the web of today feels smaller and less diverse than the web of the 1990's.

        • toomuchtodo

          today at 3:26 PM

          I agree there are hobbyists, for lack of a better term, who will always share for free "for the love of the game", passion, whatever you want to call it. Nothing stops them from doing this passion or charity work today, the evidence of that is clear from the content we see daily pass through /new here. That was never really ad driven, nor would it be in the future, and numerous mechanisms remain for them to share this content for free with the world. But that is a small minority of today's Internet and consumption of data, information, and content (imho).

          How does HN exist? Wealthy benefactors. Do I appreciate it any less? I do not, I am very grateful. But solutions are needed where a wealthy benefactor has not stepped in or does not exist, a commercial business model is untenable, the government does not or will not fund it, and the scale is beyond a single person spending a few hours a week on it for free.

          https://xkcd.com/2347/

      • rchaud

        today at 3:40 PM

        Newspapers continue to run ads even after the paywalls went up everywhere a decade or so ago. Once "premium" offerings like HBO, which were ad-free on cable TV, now has ads on its paid streaming version. Even with the "premium" subscription tier, there's sponsored/co-branded content. And for some reason, it now has live sports, where they have no control over the ads shown.

      • oopsiremembered

        today at 3:37 PM

        The problem was less the scale of supply and more the scale of demand.

        In the 19th century, economist William Stanley Jevons found that, as coal became more readily and easily available, demand for it went up. This was counter to the theories of others, and the principle became known as Jevons Paradox.

        Jevons Paradox (a concept that is widely misunderstood, especially when it comes to tech and finance bros talking about AI) demonstrates that, a resource becomes more abundant and easily accessible, demand for that resource rises. As the web took off, people hungered more and more for digital content -- especially as internet accessibility became faster and cheaper.

        To keep up -- and to pay for being able to keep up -- increasingly sophisticated monetization models were introduced.

        In any case, ad models are one thing. But it's the data brokering that's even more insidious.

        The irony is that if internet content were harder to access, the population on the whole wouldn't want it as much.

        Now, the culmination of Jevons Paradox has spun itself around a bit in this case. We now live in a world where those profiting off of ad models and data brokering actively try to get people to demand internet content more. (Look no further than the recent social-media-addiction lawsuits.)

      • pessimizer

        today at 4:51 PM

        > I would rather pay people and websites for content.

        I do not think that this is a workable model. Firstly, because it leads inevitably to monopolization, because you don't want to pay 50,000 people for content, you want to pay 10 people for content. Secondly, because most content is bad and a waste of time and you don't find out until after you've bought it. Thirdly, and most importantly, is that there's no actual, clear separation between "news" and "advertising."

        Content is generated because people who want that content generated sponsor it beforehand, and dictate the conditions under which the delivery of that content will be accepted as a fulfillment of that sponsorship. The people sponsoring that content can have any number of reasons for doing it; it can make them money directly (i.e. I have articles about cats, people who like cats subscribe to my cat website), which if you're a linear thinker you think is the only way, or it can make them money indirectly, maybe by leading consumers to particular products or political stances that they have a stake in.

        This is simply the truth. Your preferences don't matter, and it's not a moral question. If you pay for content, you're more valuable to advertise to, not less. A lot of work is put into producing trash that you regret having read or watched, and was really intended to make you support Uganda's intervention in a Zambian election (or whatever.) If you "value" reading it, you've failed an intelligence test. Its value is elsewhere for the people to paid for it to be written.

        What's recently shown itself to scale is small groups of people sponsoring journalists and outlets who put out tons of content for free. The motivation of those sponsors is usually to spread the points of view of the journalists they sponsor widely, because they believe them to be good.

        There was never a pay model that supported things that people didn't feel passionate about or entertained by. Newspapers cost less than the paper they were written on. Television news was always a huge money loser that was invested in to raise the social status and respectability of the network. If you feel passionately about anything, you're far better off paying people to listen, to give you a chance, than to lock away content. Journalism as a luxury good can work, but only for Bloomberg terminals and Stratfor, when it is used to make other lucrative decisions by its buyers.

        > orgs like Wikipedia, the Internet Archive, and others who have an endowment behind them

        This is simply sponsorships by governments and billionaires. Never ever been any significant shortage of that (the patron saint of this is King Alfonso X.*) All of those people have wide interests that can often be served by paying for media to be produced or distributed. It's where we got our first public libraries from.

        For me, the fact that Substack and Patreon almost work is more important, and is something that wouldn't have been as easy without the benefits that the internet brings for the collaboration of distant strangers.

        -----

        [*] https://en.wikipedia.org/wiki/Alfonso_X_of_Castile#Court_cul...

      • iso1631

        today at 3:10 PM

        I run into occasional articles, often linked from here, for say economist or ft.com or new york times

        I'm not signing up for a subscription for that journal, but paying a small amount for access to that one article is a no brainer. I don't subscribe to a newspaper either, but I'll happily buy one.

        The New European did this a decade ago using "agate" (named after the smallest font you'd get in a newspaper), top up with a few quid, then pay for each article.

        Sadly didn't catch on. TNE dropped it in 2019[0]. Agate still exists, having been renamed to "axate", but consumers aren't willing to pay with anything other than their time.

        [0] https://pressgazette.co.uk/news/new-european-drops-micro-pay...

        • toomuchtodo

          today at 3:18 PM

          While this works for some cohort of consumer, it doesn't work for organizations that need consistent cashflows to pay for consistent expenses, and so, those willing to subscribe on a recurring basis carry the economic burden of sustaining such operations.

      • jamespo

        today at 3:09 PM

        Sadly you are atypical and the vast majority are freeloaders, who even without ads or tracking will try and find another way not to pay.

        • ozgrakkurt

          today at 3:19 PM

          There is no substance to this statement.

          > Sadly you are atypical and the vast majority are freeloaders

          Citation needed.

          > who even without ads or tracking will try and find another way not to pay

          Why is this relevant? People try to get free stuff all over the place and I don't find it makes my life difficult.

          • II2II

            today at 3:32 PM

            >> Sadly you are atypical and the vast majority are freeloaders

            > Citation needed.

            I think we need to agree upon a definition of freeloader before citing sources to support the claim. I've found that many people who use the word have a much more transactional view of the world than I do.

        • today at 3:12 PM

        • IAmBroom

          today at 4:50 PM

          As opposed to morally upright people like yourself, who look for ways to pay for things that might be obtained freely?

    • jcgrillo

      today at 3:09 PM

      > soon you'll need to pay every website 5.99 a month

      No, I won't. I'll just stop using them. So will almost everyone. I don't think there's a single ad-supported product that would survive by converting to a paid subscription, because they're all so profoundly unnecessary.

      • tombert

        today at 6:00 PM

        Yeah, the fact that the only way that these products can survive in the competition of how I spend my time is a testament to how shitty they are.

    • nathan_compton

      today at 4:50 PM

      Honestly, I'd rather see the internet wither and die than live with ads. True hate and contempt for them.

    • jonathanstrange

      today at 3:02 PM

      I'd be very happy with an internet without ads. Not that I see any ads anyway.

      • OhMeadhbh

        today at 3:11 PM

        I think the damage is there even if you don't see the ads. News outlets and organizations that used to be magazine publishers focus on lowest common denominator stories they know will get the highest engagement. That usually means sexy anger-bait.

        Sure we had that in the print times, but we had a lot more "slow" content that you could sit with and contemplate over a day, week or month.

        • MetaWhirledPeas

          today at 4:04 PM

          > publishers focus on lowest common denominator stories they know will get the highest engagement

          One of my favorite uses of AI is to ask it, "what are today's headlines?" You completely bypass all of the sensational nonsense.

      • lastofthemojito

        today at 3:17 PM

        Even those of us who don't see ads see the structure that the ad-driven internet economy creates. Listicles, clickbait and AI-generated slop web pages, just trying to get more ad impressions. Sure, with an ad blocker I can see the low-quality content without an ad, but without the ad economy hopefully there'd be less incentive to create low-quality content to begin with.

    • ajsnigrutin

      today at 3:10 PM

      But those websites would have to provide 5.99 a month of value, and many don't.

      We used to have "static" banners on sites, that would just loop through a predefined list on every refresh, same for every user, and it worked. Not for millions of revenue, but enough to pay for that phpbb hosting.

      The advertisers started with intrusive tracking, and the sites started with putting 50 ads around a maybe paragraph of usable text. They started with the enshittification, and now they have to deal with the consequences.

      • OhMeadhbh

        today at 3:28 PM

        Nary a month goes by that I don't bemoan the loss of BYTE and Dr Dobbs Journal. WIRED is still hanging on, but it's more of a site where tech warehouses in Shenzhen hawk there latest wares.

        There was a time when Boing Boing was a decent little print magazine. And the web site went a decade before turning into... whatever the heck it is now.

        And Reality Hackers and Mondo 2000 were "guaranteed unreadable," but they were on the bleeding edge of desktop publishing style and technology.

        I'm old enough to remember typing BASIC games from COMPUTE! into my C64 and reading about the latest Star Trek film in Starlog.

        I sing the praises of Omni, even though it was clear they were probably snorting a lot of cocaine in their offices.

        I can't be the only one who remembers Computer Shopper, but I have to admit it was years before I realized they had a bit of content and were more than just an ad sheet for Micro Center.

        PC World wasn't my jam, but I respected the role it played. UnixWorld and Info World were more my thing.

        And I even read the stories and articles in Playboy in the 70s. Believe it or not, they had some amazing authors publish stories there.

        • IAmBroom

          today at 4:53 PM

          Omni was hands-down the sexiest thing Penthouse ever did with their money.

          Hands-up... it was still pretty sexy.

    • Forgeties79

      today at 3:08 PM

      I honestly don’t think “with ads” describes what we are experiencing. We are being all but violently fracked for data (and we don’t know what all they’re taking) for them to sell to 3rd parties we don’t know who then use decades of research and tooling + your personal data to psychologically manipulate you into not just buying things, but also into feeling and acting certain ways (socially, politically, etc).

      This isn’t Nielsen ratings informing cable networks where to throw up which commercials in certain regions. This is far more dangerous and intense. So the conversation needs to be framed differently than the implied bar of “intrusive/annoying/incessant ads.”

  • SoftTalker

    today at 5:13 PM

    Every browser should have ad blocking technology included and enabled by default. I do not understand why Apple in particular has not pushed this with Safari, as they like to portray that they care about privacy.

    I get why Chrome doesn't, and that's why you should not use it. But Netscape? Edge? What is stopping them?

    Browsing the web without an ad blocker is a miserable experience. Users who have never tried or don't know how to set one up would be delighted.

    • lastofthemojito

      today at 6:09 PM

      Google pays Apple 20+ billion dollars annually to be the default search engine in Safari. I don't know whether the absence of ad blocking is a stipulation in that deal or not, but I have to imagine that if Apple blocked ads in Safari by default, that deal would not be renewed.

      • SoftTalker

        today at 7:27 PM

        Apple is worth nearly $4T. I think they can afford to take a principled stand here, especially considering the current mood about big tech.

        And I don't think Google would lightly give up being the default search engine on the dominant mobile platform in the USA, and significantly more dominant among upper-income users.

    • bookofjoe

      today at 5:45 PM

      Browsing the web without a web blocker for me is a wonderful experience every day and has been since the beginning. Diff'rent strokes.

    • MidnightRider39

      today at 5:30 PM

      At least with Chrome i can use ublock - not so with safari. The best browser is ofc Firefox but everyone seems to have forgotten that bc of bad publicity or whatever

      • gzread

        today at 5:50 PM

        The best browser is either Waterfox or Librewolf since they're Firefox-based but don't steal your data or claim copyright on it.

        • MidnightRider39

          today at 6:06 PM

          It would be news to me that Firefox steals data or claims copyright on my data - do you have anything concrete to back that up?

          • gzread

            today at 6:55 PM

            It was their terms of service change at the start of 2025. It caused quite a shitstorm.

            • MidnightRider39

              today at 7:26 PM

              So essentially a bunch of noise that didnt really mean anything concrete?

  • meroes

    today at 3:47 PM

    It’s worse than that. My mom wants to see ads. I thought I was doing her a favor adding her to my pihole but she really likes ads, especially Facebook ads.

  • stronglikedan

    today at 5:55 PM

    > the average person's response is ... I'll just go ahead and continue to suffer with invasive ads

    The real reason is that the average person neither suffers with ads nor finds ads invasive, despite what a vocal online minority would have you believe. We just ignore them and get on with life. ::shrug::

    • chickensong

      today at 6:52 PM

      Ignoring (post-impact) and moving on is the natural thing to do, but it seems like a stretch to imply that the average person neither suffers or finds ads invasive.

      The suffering isn't acute, it's death by a thousand cuts as your mind erodes into a twitchy mess. Look at the comment section of a nice youtube video and see people outraged at getting blasted with an ad at the wrong moment.

      Most people don't like ads, but we love the stimulation of the screen more so we suffer them, regardless of the damage done.

  • mcmcmc

    today at 4:31 PM

    The FBI also recommended people use commercial VPNs… coincidentally they don’t need a warrant to spy on communications that leave the country

    • autoexec

      today at 5:15 PM

      It's probably better to let them spy on your highly encrypted traffic going overseas than use a US based service considering that they can march into any US company and start collecting every bit of data (https://en.wikipedia.org/wiki/Room_641A)

  • unmole

    today at 2:32 PM

    > and if everyone actually listened, much of the Internet (and economy) as we know it would disappear.

    Would it really? It seems to me that most normal users spend most of their time and attention on apps, not in browsers.

  • phplovesong

    today at 3:23 PM

    YT made sure adblockers ruin the experience. We really need a good YT alternative, as it has become AI slop (shorts) and most new videos are of real poor quality.

    • Gagarin1917

      today at 4:15 PM

      You’re not going to get a YT alternative if it can’t make money with ads.

      • jditu

        today at 5:44 PM

        [dead]

  • i_love_retros

    today at 2:50 PM

    Half the population are fucking idiots. Possibly more than half.

    They need to be protected by the state because they can't think for themselves.

    The problem is in most countries and especially America the state is a corrupt cesspool.

    • IAmBroom

      today at 4:55 PM

      Nihilist blathering sounds cool.

    • throwawayq3423

      today at 4:37 PM

      I'm curious what protection by the state do you think Americans receive?

    • pluralmonad

      today at 3:39 PM

      When has infantilizing adults resulted in positive outcomes? What if the group of idiots decide you're the idiot and start making decisions for your own good?

    • lstodd

      today at 4:30 PM

      > the state is a corrupt cesspool.

      Exactly because no one in his right mind is going to work in "state". So the "state" is more like 95% "fucking idiots" as you put it, and that is self-reinforcing.

  • j45

    today at 2:23 PM

    Ad blockers focus on ads, not fingerprinting.

    • ronjouch

      today at 2:28 PM

      "Ad blockers" nowadays do much more. From the horse’s mouth, which describes itself as a “wide-spectrum content blocker” [1]:

      “uBlock Origin (uBO) is a CPU and memory-efficient wide-spectrum content blocker for Chromium and Firefox. It blocks ads, trackers, coin miners, popups, annoying anti-blockers, malware sites, etc., by default using EasyList, EasyPrivacy, Peter Lowe's Blocklist, Online Malicious URL Blocklist, and uBO filter lists. There are many other lists available to block even more [...]

      Ads, "unintrusive" or not, are just the visible portion of the privacy-invading means entering your browser when you visit most sites. uBO's primary goal is to help users neutralize these privacy-invading methods in a way that welcomes those users who do not wish to use more technical means.”

      [1] https://github.com/gorhill/uBlock?tab=readme-ov-file#ublock-...

      • newsoftheday

        today at 3:13 PM

        I'd like to install uBlock Origin, when I try, Chrome warns it needs the permission to, "Read and change all your data on all websites". That seems excessive, to give that much power to one extension. I currently use no extensions to keep my security posture high.

        • nickburns

          today at 4:22 PM

          https://github.com/gorhill/uBlock/wiki/Permissions

          https://github.com/gorhill/uBlock/wiki/Can-you-trust-uBlock-...

          https://github.com/gorhill/uBlock/wiki/Privacy-policy

          https://github.com/gorhill/uBlock/wiki/Why-don't-you-accept-...

        • Sohcahtoa82

          today at 4:30 PM

          > "Read and change all your data on all websites"

          What a silly complaint. How is an ad blocker supposed to work if it can't read and change the data on a website?

          You might as well complain that your Camera app wants access to your camera.

          > I currently use no extensions to keep my security posture high.

          Ironically, skipping uBlock Origin because of the security concern is lessening your security posture. Are you familiar with the term "malvertising"?

        • garciansmith

          today at 3:24 PM

          I never get the fear behind extensions, at least not to the level where you wouldn't use an open-source extension that's extremely well vetted. And even if that isn't good enough for you, choosing to browse the web without using a content blocker is a far, far greater security risk.

      • j45

        today at 7:04 PM

        Appreciate the clarification, I would clarify to say the origin story of Ad blockers are ads, and the underlying behaviours may not capture everything that fingerprinting may do where people don't advertise.

        Ublock is great, but I am finding fingerprinting that gets past it and that's what I'm referring to.

    • autoexec

      today at 5:19 PM

      Disable JS and you've eliminated the vast majority of fingerprinting (besides "blocks JS")

      • j45

        today at 7:05 PM

        alternatively, css can script quite a bit... :)

        • autoexec

          today at 7:26 PM

          No joke, CSS has gotten out of hand!

    • mewmewblobcat

      today at 2:24 PM

      Depends on what lists you use. If you use uBlock Origin, and enable most of the lists, it'll target both.

      • dcdc123

        today at 4:23 PM

        I use uBlock Origin with basically every filter list enabled on Brave with their default blocker enabled. I just confirmed that this does not prevent the script from loading and scanning extensions. The browser tools network tab on LinkedIn is absolutely frightening.

        • autoexec

          today at 5:22 PM

          NoScript will prevent that script from loading and scanning extensions. JS is required for almost all fingerprinting and malware spread via websites. Keeping it disabled, at least by default, is the best thing you can do to protect yourself.

      • big_toast

        today at 3:00 PM

        According to the EFF fingerprinting website, Firefox + uBlock Origin didn't really make my browser particularly unique.

        But turning on privacy.resistfingerprinting in about:config (or was it fingerprintingProtection?) would break things randomly (like 3D maps on google for me. maybe it's related to canvas API stuff?) and made it hard to remember why things weren't working.

        Not really sure how to strike a balance of broad convenience vs effectiveness these days. Every additional hoop is more attrition.

      • Scoundreller

        today at 2:27 PM

        > Every time you open LinkedIn in a Chrome-based browser

        I thought uBlock Origin was now dead in Chrome?

        I remember a few hacks to keep it going but have now migrated to Firefox (or sometimes Edge…) to keep using it.

        • ronjouch

          today at 2:30 PM

          Full uBlock Origin is dead in Chrome, yes, but https://github.com/uBlockOrigin/uBOL-home is the next best thing if you cannot leave Chrome

          • idbnstra

            today at 3:03 PM

            or Vivaldi is chrome based, and it supports full uBlock Origin. If you don't need CHROME chrome, that's even better imo

        • qilo

          today at 2:55 PM

          Surprisingly full uBO still works on Chrome 146 if launched with the argument

              --disable-features=ExtensionManifestV2Unsupported

      • j45

        today at 2:26 PM

        Go try it with fingerprint.com. Even post-sanitization, pi-hole, you name it, it will be surprising.

        • streetfighter64

          today at 2:50 PM

          fingerprint.com seems to be some fingerprinting vendor, they don't even offer a demo without logging in. https://coveryourtracks.eff.org is EFFs demo site is non-profit and doesn't require login

          • Fogest

            today at 5:25 PM

            I have a lot of browser extensions running and am using Brave as my browser. I have their built in adblocker enabled as well as some of their privacy features turned on in the settings. I am also using a self hosted adblock instance for my DNS servers. I actually appear as random and not unique which is really nice to see. I know Brave does intentionally lean on some of the privacy side of things and it also has options to specifically prevent sites from fingerprinting by blocking things like seeing language preferences. I have to assume it is also doing some things in the backend to try and prevent other fingerprinting methods.

          • KeshiaRose

            today at 3:36 PM

            This is the Fingerprint demo page (the page itself is a demo): https://fingerprint.com/demo There's also https://demo.fingerprint.com for use case specific demos and more detail on the API response.

          • iso1631

            today at 3:22 PM

            coveryoutracks always tells me I'm unique

            Which is concerning. Until you realise I do the same thing a few days later and I'm still unique.

            • mrguyorama

              today at 4:52 PM

              It tells you that you have a unique fingerprint.

              It is not telling you that the test site has never seen you before, because the eff isn't storing your fingerprint for later analysis and tracking

              It could actually tell you about which real tracking vendors are showing you as "Seen and tracked" so it's pretty annoying they don't do that.

              If that site shows you as having a unique fingerprint, I guarantee you are being tracked across the web. I've seen the actual systems in usage, not the sales pitch. I've seen how effective these tools are, and I haven't even gotten a look at what Google or Facebook have internally. Even no name vendors that don't own the internet can easily track you across any site that integrates with them.

              The fingerprint is just a set of signals that tracking providers are using to follow you across the internet. It's per machine for the most part, but if you have ever purchased something on the internet, some of the providers involved will have information like your name.

              Here is what Google asks ecommerce platforms to send them as part of a Fraud Prevention integration using Recaptcha:

              https://docs.cloud.google.com/recaptcha/docs/reference/rest/...

              • iso1631

                today at 6:31 PM

                It must store the fingerprints to determine if I'm unique, otherwise everyone would be unique.

                If it doesn't store the fingerprints then how does it tell the difference between

                5 identical looking browsers connecting from 5 different IPs

                1 browser connecting 5 times from 5 different IPs

    • today at 2:26 PM

    • throwawayq3423

      today at 4:37 PM

      https://brave.com/privacy-updates/28-sunsetting-strict-finge...

  • fallinditch

    today at 2:33 PM

    I asked an LLM to create a plan for a 'digital rebirth' in order to minimize privacy harms. It's a lot of work, but increasingly: a worthwhile endeavor.

    • amlib

      today at 3:51 PM

      Might as well have asked a bottomless pit to do the same and get a better result from all the reverberations inside your empty head.

• replwoacause

  today at 1:42 PM

  I disagree, I think we should push back hard on behavior like this. What business is it of LinkedIn's what browser extensions I have installed? I think the framing for this is appropriate.

  • kps

    today at 1:46 PM

    Why is it possible for a web site to determine what browser extensions I have installed? If there are legitimate uses, why isn't this gated behind a permission prompt, like things like location and camera?

    • haswell

      today at 1:51 PM

      This, to me, seems like the more salient point. A headline like “Major browsers allow websites to see your installed extensions” seems more appropriate here.

      We’ve known for a long time that advertisers/“security” vendors use as many detectable characteristics as possible to constrict unique fingerprints. This seems like a major enabler of even more invasive fingerprinting and that seems like the bigger issue here.

      • hsuduebc2

        today at 4:16 PM

        Well it would be more appropriate headline if it would be about broken browser behavior.

        But this is about major corporation sneakily abusing this to ilegally extract specific sensitive data which they are abusing.

        • forgotaccount3

          today at 6:31 PM

          What law is it breaking?

          If a company leaks my sensitive data, I get some nice junkmail offering me some period of time of credit monitoring or whatever so what are browsers doing to prevent this?

          The issue should never be 'We want entities to have this data but only use it in some constrained and arbitrary manner that we can't even agree about it's definition.' instead 'This data shouldn't be made available to X'

        • tomwheeler

          today at 5:26 PM

          It's possible to write a headline that directs blames at both parties: "Major Browsers Fail to Block Websites that Invade Your Privacy"

          The fact that the website is doing this is a bigger problem than the browser not preventing it. If someone breaks into a house, it's the burglar who is prosecuted, not the company that made the door.

          If you scanned LinkedIn's private network, you'd be criminally charged. Why are they allowed to scan yours with impunity? And why is this being normalized?

          The best solution is a layered defense: laws that prohibit this behavior by the website and browsers that protect you against bad actors who ignore the law.

          • haswell

            today at 5:41 PM

            > If you scanned LinkedIn's private network, you'd be criminally charged. Why are they allowed to scan yours with impunity? And why is this being normalized?

            First, I think it’s a major issue that Chrome is allowing websites to check for installed extensions.

            With that said, scanning LinkedIn’s private network is not analogous to what is going on here. As problematic as it is, they’re getting information isolated to the browser itself and are not crossing the boundary to the rest of the OS much less the rest of the internal network.

            Problematic for privacy? Yes. Should be locked down? Yes. But also surprisingly similar to other APIs that provide information like screen resolution, installed fonts, etc. Calling those APIs is not illegal. I’m curious to know what the technical legal ramifications are of calling these extension APIs.

      • acheron

        today at 2:16 PM

        This is a Chrome thing. It’s a safe bet that if you use Google products you don’t care about privacy anyway. “Google product collects info about you: news at 11.”

        • today at 2:30 PM

        • armadyl

          today at 2:32 PM

          > This is a Chrome thing.

          This is blatant misinformation. Firefox (and all of its derivatives) also does this.

          https://bugzilla.mozilla.org/show_bug.cgi?id=1372288

          • Aloisius

            today at 6:09 PM

            This only works if the web page knows the random per-install id associated with an extension.

            That can only happen if the extension itself leaks it to the web page and if that happens, scanning isn't necessary since it already leaked what it is to the webpage. It also doesn't tell you what extension it is, unless again, the extension leaks it to the webpage.

            The attack on Chrome is far more useful for attackers as web pages can scan using the chrome store's extension ID instead.

          • p-e-w

            today at 3:20 PM

            And this bug was reported eight years ago, with no serious attempt to fix it since.

        • taneq

          today at 2:20 PM

          Google cares deeply about privacy. Google defines privacy as them not giving your private data that they have collected to anyone else unless you ask them to.

          • dmoose

            today at 2:29 PM

            Google cares deeply about privacy. Google defines privacy as them not giving your private data that they have collected to anyone who hasn't paid them for it or can compel them to give it up.

            • seanw444

              today at 2:57 PM

              There's a fourth amendment case on the Supreme Court docket (Chatrie v. U.S.) about Google searching a massive amount of user data to find people in a location at a specific time, at police request. The case is about whether the police's warrant warranted such a wide scope of search (if general warrants are allowed).

              Point being: Google will 100% give your info to the police, regardless of whether the police have the legal right to it or not, and regardless of whether you actually committed a crime or not.

              Bonus points: the federal court that ruled on the case said that it likely violated the fourth amendment, but they allowed the police to admit the evidence anyway because of the "good faith" clause, which is a new one for me. Time to add it to the list of horribly abusable exceptions (qualified immunity, civil asset forfeiture, and eminent domain coming to mind).

              • ImPostingOnHN

                today at 3:21 PM

                They knowingly participated in PRISM, too.

            • iso1631

              today at 3:29 PM

              Why would the police go to all that hassle of compelling google to give it up when it can simply buy it on the open market.

              • autoexec

                today at 5:41 PM

                Police do hit up google for data though. https://www.nbcnews.com/news/us-news/google-tracked-his-bike...

                • iso1631

                  today at 6:03 PM

                  So no compelling here. The police asked for it and google gave it, either for free or in exchange for money. They didn't say "no" to the police, they didn't wait for a court order.

                  The bad guy here is google. And the people that champion data collection by private companies because of free market == good.

                  • autoexec

                    today at 6:25 PM

                    In that case, the main bad guy was the police who didn't bother to do even the most basic investigating after "check Google's GPS records to see who was at the house" including "Check Google's GPS records to see how how long they were there" which would have shown them this was a drive by, but yeah Google is absolutely a villain

              • taneq

                today at 3:42 PM

                The breaking point with me that caused me to de-google myself was finding out that Google was buying Mastercard records in order to cross-reference them with Android phone data. That shit is not okay.

            • taneq

              today at 3:40 PM

              Ah yes, I should have said I was describing the official line, not the behaviour. In all fairness the “can compel them to give it up” doesn’t seem to be optional but otherwise, yeah. Agreed.

    • roblabla

      today at 1:59 PM

      It does two things:

      1. Do a request to `chrome-extension://<extension_id>/<file>`. It's unclear to me why this is allowed.

      2. Scan the DOM, look for nodes containing "chrome-extension://" within them (for instance because they link to an internal resource)

      It's pretty obvious why the second one works, and that "feels alright" - if an extension modifies the DOM, then it's going to leave traces behind that the page might be able to pick up on.

      The first one is super problematic to me though, as it means that even extensions that don't interact with the page at all can be detected. It's unclear to me whether an extension can protect itself against it.

      • dlenski

        today at 2:27 PM

        > 1. Do a request to `chrome-extension://<extension_id>/<file>`. It's unclear to me why this is allowed.

        Big +1 to that.

        The charitable interpretation is that this behavior is simply an oversight by Google, a pretty massive one at that, which they have been slow to correct.

        The less-charitable interpretation is that it has served Google's interests to maintain this (mis)feature of its browser. Likely, Google or its partners use similar to techniques to what LinkedIn/Microsoft use.

        This would be in the same vein as Google Chrome replacing ManifestV2 with ManifestV3, ostensibly for performance- and security-related purposes, when it just so happens that ManifestV3 limits the ability to block ads in Chrome… the major source of revenue for Google.

        The more-fully-open-source Mozilla Firefox browser seems to have had no difficulty in recognizing the issues with static extension IDs and randomizing them since forever (https://harshityadav.in/posts/Linkedins-Fingerprinting), just as Firefox continues to support ManifestV2 and more effective ad-blocking, with no issues.

        • warkdarrior

          today at 4:14 PM

          > This would be in the same vein as Google Chrome replacing ManifestV2 with ManifestV3, ostensibly for performance- and security-related purposes, when it just so happens that ManifestV3 limits the ability to block ads in Chrome… the major source of revenue for Google.

          uBlock Origin Lite (compatible w/ ManifestV3) works quite well for me, I do not see any ads wherever I browse.

    • mrweasel

      today at 4:48 PM

      Generally the whole thing needs to be flipped upside down. Extensions is the easy one, there's not reason a random website can list your installed extensions, zero.

      For other capabilities, like BlueTooth API, rather than querying the browser, assume that the browser can do it and then have the browser inform the user that the site is attempting to use an unsupported API.

    • today at 1:53 PM

    • taneq

      today at 2:19 PM

      Agreed, but also, permission prompts are way overused and often meaningless to anyone at all, even fellow software engineers. “This program [program.exe] wants to do stuff, yes/no?” How should I know what’s safe to say yes to?

      I think Android’s ‘permissions’ early on (maybe it’s improved?) and Microsoft’s blanket ‘this program wants to do things’ authorisation pop up have set a standard here that we shouldn’t still be following.

    • jacquesm

      today at 2:45 PM

      Because Google.

    • MagicMoonlight

      today at 2:01 PM

      Who makes browsers? Ad companies.

      Of course Google is going to back door their browser.

      • chimeracoder

        today at 2:11 PM

        > Who makes browsers? Ad companies.

        > Of course Google is going to back door their browser.

        Aside from the fact that other browsers exist, this makes no sense because Google would stand to gain more by being the only entity that can surveil the user this way, vs. allowing others to collect data on the user without having to go through Google's services (and pay them).

  • haswell

    today at 1:45 PM

    To broaden my point, I think we’d find that many websites we use are doing this.

    My point isn’t that this is acceptable or that we shouldn’t push back against it. We should.

    My point is that this doesn’t sound particularly surprising or unique to LinkedIn, and that the framing of the article seems a bit misleading as a result.

    • autoexec

      today at 5:43 PM

      I've love it if LinkedIn got successfully sued for millions and it resulted in similar lawsuits against every other website that did this sort of thing.

    • devy

      today at 1:52 PM

      > To broaden my point, I think we’d find that many websites we use are doing this.

      Your point of "I think we’d find that many websites we use are doing this" doesn't make LinkedIn's behavior ok!

      By your logic, if our privacy rights are invaded which is illegal in most jurisdiction, and then it become ok because many companies do illegal things??

      • haswell

        today at 2:01 PM

        Absolutely not. At no point am I saying this is ok.

        I’m saying that the framing of the article makes this sound like LinkedIn is the Big Bad when the reality is far worse - they’re just one in a sea of entities doing this kind of thing.

        If anything, the article undersells the scale of the issue.

      • today at 2:28 PM

      • coldpie

        today at 2:22 PM

        You really need to work on your reading comprehension, dude.

  • Aurornis

    today at 2:11 PM

    > What business is it of LinkedIn's what browser extensions I have installed?

    The list of extensions they scan for has been extracted from the code. It was all extensions related to spamming and scraping LinkedIn last time this was posted: Extensions to scrape your LinkedIn session and extract contact info for lead lists, extensions to generate AI message spam.

    That seems like fair game for their business.

    • autoexec

      today at 5:46 PM

      > The list of extensions they scan for has been extracted from the code. It was all extensions related to spamming and scraping LinkedIn

      Not according to the website which says:

      The scan doesn’t just look for LinkedIn-related tools. It identifies whether you use an Islamic content filter (PordaAI — “Blur Haram objects, real-time AI for Islamic values”), whether you’ve installed an anti-Zionist political tagger (Anti-Zionist Tag), or a tool designed for neurodivergent users (simplify). Under GDPR Article 9, processing data that reveals religious beliefs, political opinions, or health conditions requires explicit consent. LinkedIn obtains none.

      It also scans for every major competitor to Microsoft’s own products — Salesforce, HubSpot, Pipedrive — building company-level intelligence on which businesses use which software. Because LinkedIn knows your name, employer, and role, each scan aggregates into a corporate technology profile assembled without anyone’s knowledge.

    • tartoran

      today at 2:18 PM

      And instead LinkedIn is scraping all users computers?

      • Aurornis

        today at 2:43 PM

        This doesn’t fit the description of scraping by any normal definition. It’s a classic feature probe structure, where the features happen to be scraping extensions.

        I think it’s kind of funny that HN has gone so reactionary at tech companies that the comments here have become twisted against the anti-spam measures instituted on a website that will never trigger on any of their PCs, because HN users aren’t installing LinkedIn scrape and spam extensions.

        • ImPostingOnHN

          today at 3:24 PM

          HackerNews users used to be the type that would do the scraping, so they could Hack the data into whatever format or integration they desired.

          It's unfortunate to see folks here who don't support that – interoperability is at the heart of the Hacker Ethic. LinkedIn (along with any other big tech companies locking down and crippling their APIs) is wrong to even try to block it.

          Is it an issue of the resources scrapers consume? No: Even ordinary users trying to get API access on a registered persistent account linked to their name are stymied in accessing their own data. LinkedIn simply doesn't want you to access your own data via API, or in any manner that isn't blessed by them. That ain't right.

          • warkdarrior

            today at 4:19 PM

            LinkedIn has an API you can use at your convenience: https://learn.microsoft.com/en-us/linkedin/

            Accessing other users' LinkedIn data via the API requires their OAuth consent, as it should be. But you are welcome to access your own data via the API.

    • 52-6F-62

      today at 2:25 PM

      Sounds a little like "OpenAI must protect itself against copyright infringement by any means necessary, including copyright infringement of everyone else"

  • MikeNotThePope

    today at 2:48 PM

    If I had to guess, LinkedIn would be primarily searching for extensions that violate their terms of service (e.g. something that could be used to scrape data). They put a lot of effort into circumventing automated data collection. I could be wrong.

  • jacquesm

    today at 2:44 PM

    > I think we should push back hard on behavior like this.

    Indeed, so I gather all of you have canceled your LI account over this?

    I never made one in the first place because it was pretty clear to me that this company - even before the acquisition - had nothing good in mind.

  • phendrenad2

    today at 3:33 PM

    So why not say that LinkedIn is murdering people? I mean, if all you care about is raising awareness with maximal clickbait...

  • casey2

    today at 1:57 PM

    [flagged]

• Aurornis

  today at 2:07 PM

  This has been covered several times including reverse engineering of the code. The list of extensions they check for doesn’t include common extensions like ad blockers. It’s exclusively full of LinkedIn spamming and scraping type of extensions.

  They also logically don’t need to fingerprint these users because those people are literally logging in to an account with their credentials.

  By all appearances they’re just trying to detect people who are using spam automation and scraping extensions, which honestly I’m not too upset about.

  If you never install a LinkedIn scraper or post generator extension you wouldn’t hit any of the extensions in the list they check for, last time I looked.

  • honzaik

    today at 2:16 PM

    it apparently scans for something like "PQC Checker", an extension for checking if TLS connection is PQC-enabled? how is that a spam extension (and thats just a random one i saw)

    • Aurornis

      today at 2:20 PM

      Probably compromised extensions or misleading extensions.

      It’s common for malware extensions to disguise themselves as something simple and useful to try to trick a large audience into installing them.

      That’s why the list includes things like an “Islamic content filter” and “anti-Zionist tagger” as well as “neurodivergent” tools. They look for trending topics and repackage the scraper with a new name. Most people only install extensions but never remove them if they don’t work.

      • honzaik

        today at 2:22 PM

        well if they have evidence why they dont report it? why are these extensions on the store? im sure linkedin has enough motion to report it directly to google

        also, having a PQC enabled extension doesnt seem like a good "large user base capture" tactic.

        the source code is as usual obfuscated react but that doesnt mean its malicious...

        EDIT: i debuged the extension quickly and it doesnt seem to do anything malicious. it only sends https://pqc-extension.vercel.app/?hostname=[domain] request to this backend to which it has permissions. it doesnt seem to exfiltrate anything else. it might get triggered later but it has very limited permissions anyway so it doesnt seem to be a malicious extension. (but im no expert)

        • Aurornis

          today at 2:47 PM

          > well if they have evidence why they dont report it? why are these extensions on the store?

          We had a browser extension for our product. A couple times a month someone would clone it, add some data scraping or other malware to it, and re-upload it with the same or similar name.

          We set up automated searches to find them. After reporting it could take weeks to get them removed, some times longer. That’s for extensions with clear copyright problems!

          The extensions may not be breaking any rules of the extension stores if they’re just scraping a website. Many of the extensions on the list are literally designed to do that as their headline feature.

          If you think sending data from a page to a server would disqualify an extension from an extension store then think again. Many of the plugins listed even have semi-plausible reasons for uploading the scraped data, like the “anti-Zionist tagger” extension on the list or the ones that claim to blur things that are anti-Islam. Manufacturing a reason to send data to their servers gives them cover.

          • honzaik

            today at 2:57 PM

            I am aware that google will take looong time to act. that is why I mentioned that it is LinkedIn (Microsoft) or its contracted fingerprinting/"monitoring" partner who may have more direct ways to report this if they actually investigate malicious extensions.

            but that doesn't really matter. for the sake of the argument assume the extensions are not malicious (as evidenced e.g. by the PQC one with ?16 users?) does that change the situation?

      • reaperducer

        today at 4:03 PM

        Probably compromised extensions or misleading extensions.

        You'll have to do better than "Probably."

        What is it about the tech bubble that compels people to proactively apologize for and excuse the bad behavior of trillion-dollar companies?

• VladVladikoff

  today at 1:53 PM

  It is likely in response to scraping. Linked in is heavily scraped by scammers who do the BEC scams. So linked in is trying to find ways to link together banned accounts, to handle their ban evasion.

  I run a site which attracts a lot of unsavoury people who need to be banned from our services, and tracking them to reban them when they come back is a big part of what makes our product better than others in the industry. I do not care at all about actually tracking good users, and I am not reselling this data, or anything malicious, it's entire purpose is literally to make the website more enjoyable for the good users.

  • dweinus

    today at 2:04 PM

    Understandable, and yet none of that makes it ok.

  • jacquesm

    today at 2:46 PM

    > it's entire purpose is literally to make the website more enjoyable for the good users.

    There are people who actually enjoy using LinkedIn?

  • colechristensen

    today at 3:46 PM

    >Linked in is heavily scraped by scammers who do the BEC scams.

    It's also heavily scraped by businesses for lead generation for sales and recruiting. Either before their API became available or to not pay them or to get around the restrictions of their API.

• cachius

  today at 4:24 PM

  > expect to find in modern browser fingerprinting

  No. Don't need extensions for that. See how Cloudflare Turnstile does it, recently popped up at https://news.ycombinator.com/item?id=47566865 cause ChatGPT uses it now:

  Layer 1: Browser Fingerprint WebGL (8 properties): UNMASKED_VENDOR_WEBGL, UNMASKED_RENDERER_WEBGL, WEBGL_debug_renderer_info, getExtension, getParameter, getContext, canvas, webgl

  Screen (8): colorDepth, pixelDepth, width, height, availWidth, availHeight, availLeft, availTop

  Hardware (5): hardwareConcurrency, deviceMemory, maxTouchPoints, platform, vendor

  Font measurement (4): fontFamily, fontSize, getBoundingClientRect, innerText. Creates a hidden div, sets a font, measures rendered text dimensions, removes the element.

  DOM probing (8): createElement, appendChild, removeChild, div, style, position, visibility, ariaHidden

  Storage (5): storage, quota, estimate, setItem, usage. Also writes the fingerprint to localStorage under key 6f376b6560133c2c for persistence across page loads.

  Scanning for 6000 extensions is anti-competitive, surveillant and immoral.

• cogman10

  today at 8:01 PM

  > It also seems like what I’d expect to find in modern browser fingerprinting code.

  Exactly what I think it is. It's all for tracking and ultimately for advertisement. Linkedin can get exactly who you are and then they share that data with ad companies to better target you.

  Really gross behavior.

• austin-cheney

  today at 7:13 PM

  > I’m not deeply familiar with what APIs are available for detecting extension

  Here is what the article says:

  Method 1

      async function c() {
        const e = [],
          t = r.map(({id: t, file: n}) => {
            return fetch(`chrome-extension://${t}/${n}`)
          });
        (await Promise.allSettled(t)).forEach((t, n) => {
          if ("fulfilled" === t.status && void 0 !== t.value) {
            const t = r[n];
            t && e.push(t.id);
          }
        });
        return e;
      }
  

  Method 2

      async function(e) {
        const t = [];
        for (const {id: n, file: i} of r) {
          try {
            await fetch(`chrome-extension://${n}/${i}`) && t.push(n);
          } catch(e) {}
          e > 0 && await new Promise(t => setTimeout(t, e));
        }
        return t;
      }
  

  The API is making an HTTP request to

      chrome-extension://${store_id}/${file_name}
  

  There is then a second stage where they walk the DOM looking for text signatures and element attributes indicative of the store_id values

  It looks like the user has the freedom to manage this by launching chrome with this flag: --disable-extensions

  It also seems there is an extension for extension management to deny extension availability by web site: https://superuser.com/questions/1546186/enable-disable-chrom...

• chromacity

  today at 2:55 PM

  > I’m not deeply familiar with what APIs are available for detecting extensions, but the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister

  This seems like a really weird argument to make. The fact that the platform doesn't provide a privacy-violating API is not an extenuating circumstance. LinkedIn needed to work around this limitation, so they knew they're doing something sketchy.

  For the record, I don't think they're being evil here, but the explanation is different: they're don't seem to be trying to fingerprint users as much as they're trying to detect specific "evil" extensions that do things LinkedIn doesn't want them to do on linkedin.com. I guess that's their prerogative (and it's the prerogative of browsers to take that away).

  • davedx

    today at 3:26 PM

    What are the religious-related extensions described in the article doing that's "evil"?

    • chromacity

      today at 4:56 PM

      Judging from the fact that 99% of the list seem like data-mining scam apps or spam tools, I suspect that's the answer in these cases too.

      If LinkedIn really wanted to profile your religious beliefs, they would presumably go after the most popular religion-related extensions, not some "real-time AI for Islamic values" thing with 6k users.

• drnick1

  today at 6:45 PM

  The bigger problem I see here is browser security and Javascript as a whole. Browsers should not be allowed to extract and send such vast amounts of information in the first place, especially without the user's consent. At most, they should return a few broad things such as browser type (major version), language perhaps, and device type (mobile/desktop). That's it. Other things, such as exact resolutions, time zones, and other hardware identifiers make it trivially easy to track users across the Internet. Now that it's too late to revise Web standards, browsers should default to return spoofed values for all the rest.

• lxgr

  today at 2:51 PM

  > The scan probes for thousands of specific extensions by ID, collects the results

  Why exactly does Chrome even allow this in the first place!? This is the most surprising takeaway for me here, given browser vendors' focus on hardening against fingerprinting.

  • spopejoy

    today at 3:18 PM

    Firefox FTW. I was relieved to find this was a Chrome-only problem.

    • lxgr

      today at 4:43 PM

      Turns out Firefox has a similar issue, despite mitigations :( https://bugzilla.mozilla.org/show_bug.cgi?id=1372288

      • eipi10_hn

        today at 6:29 PM

        This only happens if the extension puts their `moz-extension://` links into the DOM. It's different to chrome case where extensions can be detected regardless of being activated on that site or not.

        • lxgr

          today at 6:44 PM

          As I understand it, an extension could also leak its links via its own backend, e.g. to advertisers, who could then detect it even though no user-observable DOM modification is happening.

          Much better than static global IDs, but still not ideal.

    • today at 3:40 PM

  • susupro1

    today at 3:27 PM

    [dead]

• mcv

  today at 3:01 PM

  Why is JavaScript running in a page even allowed to know what extensions I have? Is this also what sites use to see I've got an ad blocker?

  Just run everything in a safe environment that it can't look out of.

  • cwmma

    today at 3:15 PM

    The page isn't allowed to know what extensions you have, instead LinkedIn is looking for various evidence that extensions are installed, like if an extension was to create a specific html element, LinkedIn could look for evidence of that element being there.

    Since the extensions are running on the same page as LinkedIn (some of them are explicitly modifying the LinkedIn the website) it's impossible to sandbox them so that linked in can't see evidence of them. And yes this is how a site knows you have an ad blocker is installed.

    • eipi10_hn

      today at 6:25 PM

      Page can know what your chrome extensions are, even when your extensions don't interact with the site, by fetching `web_accessible_resources`: https://browserleaks.com/chrome#web-accessible-resources-det... . uBO mitigates this partly by generating internal secret tokens for each request: https://github.com/gorhill/uBlock/tree/master/src/web_access... .

      However, there are other proof of concept of another attack vector to bypass this by using timing difference when fetching those resources.

      I help maintaining uBO's lists and I've seen one real world case doing this. It's a trash shortener site, and they use the `web_accessible_resources` method as one of their anti-adblock methods. Since it's a trash site, I didn't care much later.

• Griffinsauce

  today at 6:53 PM

  > But I do take some issue with the alarmist framing of what's going on.

  On the contrary, your framing is quite defeatist IMO. The fact that stores get robbed frequently does not mean we should just normalize that and accept it as a fact of life.

• gabbagool

  today at 4:29 PM

  Just because someone lets the electrician (LinkedIn) into their home (browser) doesn't mean they can do whatever the hell they want that isn't expressly prohibited. If the electrician wants to rifle through my desk drawers, they should ask for permission, and I will politely tell them to leave.

  • longislandguido

    today at 5:09 PM

    If your electrician was known to be hostile like the Internet, then you'd put locks on your drawers.

    The browser security model right now is more like those completely ineffective "gun free zone" signs cities tack up in public parks.

• xXSLAYERXx

  today at 4:35 PM

  I worked for a company that sold b2b contact data and they had (maybe still have) a linkedIn extension. It basically enriched the linkedIn profile. I wonder if linkedIn is trying to block these, or heavily target, in some way, these types of users to push folks towards their sales navigator.

• stronglikedan

  today at 6:01 PM

  > sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”)

  Then why search for PordaAI or Deen Shield? Or more specifically, since getAllExtensions() would return them, why would they be on the "scan list", instead of just ignored?

• socalgal2

  today at 6:42 PM

  How does this scan happen. AFAIK there is no API for a webpage to scan for extensions. The most a page could do is try to figure out indirectly if an extension exists if that extension leaks info into the page.

• catlifeonmars

  today at 2:32 PM

  > I’m certainly not endorsing it, do think it’s pretty problematic, and I’m glad it’s getting some visibility. But I do take some issue with the alarmist framing of what’s going on.

  Speaking has someone who shares the same lack of surprise, perhaps some alarm is warranted. Just because it’s ubiquitous doesn’t mean it’s ok. This feels very much frog in boiling water for me.

  Why do you think the alarmist framing is unwarranted?

  • haswell

    today at 3:22 PM

    I do think a degree of alarm is appropriate.

    But it’s critical to sound the correct alarm.

    To me, it seems like the authors pulled the fire alarm for a single building when in reality there’s a tornado bearing down.

    And by doing so, everyone is scrambling about a fire instead of the response a tornado siren would cause.

    They’re both dangerous and worthy of an immediate reaction, but the confusion and misdirection this causes seems deeply problematic.

    When people realize the fire wasn’t real, they start to question the validity of the alarm. The tornado is still out there.

    I realize this analogy is a bit stretched.

    As someone who has spent quite a lot of time steeped in security/privacy research, the stuff described in the article has been happening pervasively across the industry.

    People absolutely should be alarmed. Many of us have been alarmed for quite some time. Raising the alarm by saying “LinkedIn is searching your computer” isn’t it.

    • mr-wendel

      today at 4:02 PM

      I think this is a great analogy. I read quite a bit of the site and it's wildly blown out of proportion and severely lacking in context.

      How many phone apps do you think are trying to detect what else is installed on your phone? I was part of an acquisition of a company with a very large mobile user base and our new parent was shocked we weren't trying to passively collect device information like this. They for sure were.

      And on the flip side, as others have done well to point out, there are a LOT of legitimate reasons to fingerprint users for anti-fraud/abuse and I am 100% convinced that we're all better off for this.

      Maybe thats all this story is about, maybe not, but this article leaves out an incredible amount of complexity.

• today at 5:04 PM

• tpoacher

  today at 2:40 PM

  I get the point you're making, but to be clear, "they’re checking to see if you’re a Muslim" vs "they’re checking to see if your fingerprint matches that of known Muslims in our ever-expanding database" are not too far off.

• jredwards

  today at 2:11 PM

  I've been avoiding Chrome-based browsers for many years now but have only recently become aware of how catastrophically low the Firefox market share is. I'm kind of shocked that more people aren't choosing to avoid Chrome.

• giancarlostoro

  today at 2:03 PM

  > It also seems like what I’d expect to find in modern browser fingerprinting code.

  Time to figure out if I can make FireFox pretend to be Chrome, and return random browser extensions every time I visit any website to screw up browser fingerprinting...

• Bender

  today at 4:38 PM

  Javascript can query chrome extensions [1] and much more [2].

  [1] - https://browserleaks.com/chrome

  [2] - https://browserleaks.com/javascript

  • francoi8

    today at 5:10 PM

    This blows my mind. What good reason is there for giving javascript such permissions by default? This should at the minimum trigger an explicit permission request from the user.

• inetknght

  today at 2:11 PM

  > the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”).

  Your computer is your private domain. Your house is your private domain. You don't make a "getAllKeysOnPorch()" API, and certainly don't make "getAllBankAccounts()" API. And if you do, you certainly don't make it available to anyone who asks.

  It absolutely is sinister.

• neya

  today at 1:58 PM

  > I’ve come to mostly expect this behavior from most websites that run advertising code and this is why I run ad blockers.

  We should not normalise nor accept this behaviour in the first place.

• pqtyw

  today at 2:10 PM

  > no available getAllExtensions()

  Well great there is no avalable 'getAllFiles()' or such either because they'd be scanning your files for "fingerprinting" as well.

  > alarmist framing

  Well they literally searching your computer for applications/extensions that you have installed? (and to an extent you can infer what are some of the desktop applications you have based on that too)

• dcchuck

  today at 5:07 PM

  I agree. The first paragraph on the page implies the javascript can natively search your machine (vs. via Browser Extensions)

• fasterik

  today at 2:57 PM

  >this is why I run ad blockers.

  It's important to note that this isn't fixed by ad blockers. To avoid this kind of fingerprinting, you need to disable JavaScript or use a browser like Firefox which randomizes extension UUIDs.

  • spopejoy

    today at 3:18 PM

    Yes, but FF also prevents the extension scanning. It's scandalous that Chrome allows this!

• urig

  today at 2:56 PM

  The tracking described is extremely invasive. You say you are not endorsing it but you are certainly normalizing it. This is unacceptable.

  The people behind this URL are trying to hold Microsoft accountable. The power to them.

• nkrisc

  today at 1:58 PM

  > i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”

  But I bet they could reliably guess your religious affiliation based on the presence of some specific browser extensions.

  • caminante

    today at 2:15 PM

    They already have so much telemetry from your phone, IP, etc.

    God forbid they make an educated guess based on your actual LinkedIn connections, name, interests, etc.

• FloorEgg

  today at 3:53 PM

  I wonder if their motivation for doing this is to detect the LinkedIn automation tools that power all the spam messaging and connection requests?

• Betelbuddy

  today at 2:41 PM

  The next step for a forensic investigator, is to found out how many of those extensions, are actually from a partner or fully owned subsidiary from LinkedIn... When you see a cockroach...

• RankingMember

  today at 2:28 PM

  > this is why I run ad blockers.

  What's been really obnoxious lately is the number of sites I try to do things on that are straight up broken without turning off my ad-blocker.

• MisterTea

  today at 2:05 PM

  > The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them to LinkedIn’s servers.

  Why is this even possible in the first place? It's nobodies business what extensions I have installed.

• storus

  today at 3:26 PM

  Which browsers in which mode (normal/private) are affected?

• thfuran

  today at 4:08 PM

  >vs. something inherently sinister

  This is inherently sinister.

• darepublic

  today at 7:38 PM

  linked in is scummy but yes I was puzzled by how linked in could scan your comouter from the browser. when i saw they meant extensions I thought aha.

• jollymonATX

  today at 6:31 PM

  Your expectations do not matter here frankly. This reads like CFAA to me, unauthorized access.

• whimsicalism

  today at 4:32 PM

  this is obviously not fingerprinting code to anyone with a brain, it's about scraping

• chistev

  today at 3:17 PM

  But what would be the benefit of them doing that?

• secondcoming

  today at 6:05 PM

  My biggest gripe is why these JS APIs even exist in the first place

• nailer

  today at 3:40 PM

  > The headline seems pretty misleading.

  Yes. I was expecting LinkedIn was connecting to extensions that are using their exhanced privileges to scan your computer, per the "LinkedIn Is Illegally Searching Your Computer" headline.

  Instead, LinkedIn is scanning for extensions.

• dfxm12

  today at 3:16 PM

  But I do take some issue with the alarmist framing of what’s going on.

  I’ve come to mostly expect this behavior from most websites that run advertising code

  We should be alarmed that websites we go to are fingerprinting us and tracking our behavior. This is problematic, full stop. The fact that most websites are doing this doesn't change that.

• wat10000

  today at 2:37 PM

  Your post sounds like "it sounds bad, but it's no different from what others do, so it's not that bad."

  I would put it more like: it sounds bad, and it's no different from what others do, so they're all that bad.

  The fact that they're working around an API limitation doesn't make this better, it just proves that they're up to no good. The whole reason there isn't an API for this is to prevent exactly this sort of enumeration.

  It's clear that companies will do as much bad stuff as they can to make money. The fact that you can do this to work around extension enumeration limits should be treated as a security bug in Chrome, and fixed. And, while it doesn't really make a difference, LinkedIn should be considered to be exploiting a security vulnerability with this code.

• j45

  today at 2:15 PM

  There is clear rules around what you can and can't do to fingerprint users. if it's being done overtly, covertly, obscurely, indirectly, all for the same result through direct or indirect or correlated metadata it ends up with the same outcome.

  My understanding is the rules and laws are to prevent the outcome, by any means, if it's happening.

• j45

  today at 2:12 PM

  I wonder if this is part of the reason why LinkedIn tabs seem to use so much ram, and sometimes run away CPU processes.

• j45

  today at 2:22 PM

  > "they're checking to see if you're a Muslim"

  This could be easily inferred from the depth, breadth, and interconnectedness of data in the website.

  By downplaying it, it's allowing it to exist and do the very thing.

  The issue here is this stuff is working likely despite ad blockers.

  Fingerprinting technology can do a lot more than just what can be learned from ads.

  From the site:

  "The scan doesn’t just look for LinkedIn-related tools. It identifies whether you use an Islamic content filter (PordaAI — “Blur Haram objects, real-time AI for Islamic values”), whether you’ve installed an anti-Zionist political tagger (Anti-Zionist Tag), or a tool designed for neurodivergent users (simplify). Under GDPR Article 9, processing data that reveals religious beliefs, political opinions, or health conditions requires explicit consent. LinkedIn obtains none." https://browsergate.eu/extensions/

• fp64

  today at 1:53 PM

  [dead]

• vaginaphobic

  today at 5:11 PM

  [dead]

• mentalgear

  today at 1:46 PM

  > The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them

  And probably also vibe-coded therefore 2 tabs of LinkedIn take up 1GB of RAM (was on the front page a few days back).

A few years ago, intentionally fingerprinting or tracking your users without disclosure was spyware and unethical. Alas, here we are.

Anyway, what they're calling "spectroscopy", is a combination of extension probing and doing residue detection (looking for what extensions might leave behind in the DOM).

An ad blocker is not necessarily equipped to help since the script is embedded with the application code. Since they're targetting Chrome, switching browsers will help with the probing but not the detection part and you'll still be fingerprinted.

The only way forward is for browser vendors to offer a real privacy or incognito mode where sites are sandboxed by default. When the default profile is identical across millions of users there won't be anything unique to fingerprint.

I don't have a linkedin acct. So imagine my shock when I "googled" myself and found a linkedin profile connecting my name to a company I presently have a consulting arrangement with (1099 not W2). I went ballistic and fired off an email to the consulting firm to take down the profile immediately or face legal action (a bluff). Couple days later, the company forwarded an email they received from linkedin confirming the profile had been taken down.

So this is just a heads up that even if you don't have a linkedin account, they will create one on your behalf so might better check (assuming you neither have nor want one).

• crazygringo

  today at 7:12 PM

  What's the path for that to even happen?

  Are companies now commonly uploading lists of employees to LinkedIn? Is this happening automatically because you got an e-mail account from the company and the company runs on MS Office and you're identified as am employee within it? What triggered it?

  This seems like somewhat of a scandal that deserves its own post, but it also needs a lot more details to be trustworthy and for people to understand what exactly is happening.

  Also, was there some way for you to take ownership of the profile? Did it depend on verifying a certain e-mail address? Does it require you to get the company to remove it, or could you take ownership and then delete the LinkedIn account/profile yourself?

  • Beestie

    today at 7:50 PM

    I rather suspect the information was siphoned to linkedin from the payroll company the consulting firm was using. While there are a zillion small consulting firms, there are a small number of firms which process their payroll (whether to employees or independent contractors like myself). I have no evidence to back this up but after thinking it through, it made more sense than every little mom/pop/medium size niche company all cooperating with linkedin vs a hand full of mega payroll consolidators selling aggregated lists to linkedin. Again, speculation on my part.

    • crazygringo

      today at 8:01 PM

      Interesting. That's a possibility... but how much information did the LinkedIn account have? Did it have your full job title? I'm not sure how much information is shared with payroll providers.

      Again, there's no real reporting on the internet of LinkedIn creating profiles for people without their consent. If you have any documentation and details, this is the kind of thing worth posting here in full detail and/or contacting a journalist about. Of course, if it was in the past you might not have any of that info anymore.

• TheSkyHasEyes

  today at 7:42 PM

  Of all the reading I've done on this story, your comment so far is the only post which would explain why linkedin is even doing this.

  If anyone else as any more info on the why, please share.

this is a massive violation of trust

> The scan doesn’t just look for LinkedIn-related tools. It identifies whether you use an Islamic content filter (PordaAI — “Blur Haram objects, real-time AI for Islamic values”), whether you’ve installed an anti-Zionist political tagger (Anti-Zionist Tag), or a tool designed for neurodivergent users (simplify).

• Aurornis

  today at 2:15 PM

  Many extensions designed to scrape data from social media websites are disguised as simple extensions that do something else.

  If I had to guess: I sought that automatic content blurrer, neurodivergent website simplifier, or anti-Zionist tagger actually work. They’re all just piggybacking on trending topics to get users to install them and then forget about them, then they exfiltrate the data when you visit LinkedIn.

  • cryptoegorophy

    today at 3:21 PM

    This. Do not install any extension unless you absolutely need. Assume they all leak your browsing data. Not familiar with Google but if you can just vibe code your own extension then do that.

    • cousin_it

      today at 5:15 PM

      Vibe supply chain attacks are coming btw.

      • johanyc

        today at 5:46 PM

        Wdym? You vibe code your software. Are you saying the LLM will spit out malware?

        • GrinningFool

          today at 6:27 PM

          Sooner or later, yes. What stops it , other than layers of imperfect process? And it's the perfect vector to exploit anyone who doesn't review and understand the generated code before running it locally

    • dcchuck

      today at 4:46 PM

      They're also the only avenue to breaking out of the browser sandbox.

• crazygringo

  today at 7:14 PM

  It's for fingerprinting and possibly ad targeting.

  It's no different from when you visit an Islamist or anti-Zionist website that has analytics/trackers/ads on it.

  It's bad, but this "massive violation of trust" is happening everywhere and has been for decades. There's nothing that's unique to Microsoft here.

• gwerbin

  today at 1:56 PM

  Almost certainly they are using that for audience segmentation and ad targeting. Clever and disgusting. This isn't the invention of some evil moustache-twirling executive, this was the invention of an employee or group of employees who value money more than morals. We should think of such employees as henchmen.

  • luxuryballs

    today at 2:49 PM

    if they do a better job at showing me an ad that might be relevant to me, how is that disgusting? if I have to see an ad at all I at least want them to give it their best shot

    • alt227

      today at 4:29 PM

      I cant believe that people still have the attitude that the trillions of dollars being invested in all this technology and tracking is just to give them a more relevant ad.

      Do people really not remember scandals like Cambridge Analytica, and realise that these ads combined with social media feeds can be used to literally control and manipulate peoples decisions and behavoir?

      Theres a reason Facebook and Youtube just got sued for being intentionally addictive attention machines.

      • caminante

        today at 5:05 PM

        You're glossing over the nuance of the Cambridge Analytica scandal or at least I don't see how it's connected here.

        Facebook was a party, but not the protagonist.

        - a Cambridge researcher (Aleks Kogan) created a personality quiz FB app advertised as academic research

        - users had to consent to download the app

        - the app nefariously scraped users' friends' data (300k users unlocked 87 million users' data)

        - the information was sold to Cambridge Analytica

        - who then used the information to profile American voters

        LinkedIn already has all of this information from the information you feed it. Scanning for more information provides more refined views, but LinkedIn already has your graph.

        • alt227

          today at 5:39 PM

          The parent post said:

          > if they do a better job at showing me an ad that might be relevant to me, how is that disgusting?

          To me that signalled that the author of the comment doesnt really care what is gonig on behind the scenes if the result is a better and more relevant ad.

          I see this attitude often from people who dont seem to understand the severity and seriousness of online tracking which leads to psychological profiling which leads to manipulation.

          > who then used the information to profile American voters

          You seem to have missed off the most serious bit at the end. Cambridge Analytica then used the data to profile millions of voters, and purposefully target divisive and flammable political material to specific suggestible people in order to manipulate outcomes.

          This same thing is done all the time by all tracking and ad companies. I think this thread has gone beyond just LinkdIn scanning your browser extensions.

          • caminante

            today at 6:10 PM

            I agree that it could come off as gross negligence to not care about what happens with your data.

            My point is that LinkedIn already has enough information (We've willingly given them!) to manipulate outcomes and if they're doing something nefarious, then it's already too late.

            Whereas Cambridge Analytica involved bad actors (not Facebook) duping customers and re-selling their data. I don't think those elements are necessarily in play here.

      • luxuryballs

        today at 5:58 PM

        is the manipulation of decisions and behavior not just a way of saying sales and marketing? I agree that it def can be used for bad things, but so can most tools/systems

    • GrinningFool

      today at 6:28 PM

      The rules say we should default to assuming good faith in comments. But it's hard when I see this comment in 2026.

    • gwerbin

      today at 3:09 PM

      Imagine if someone was following you around with a clipboard writing down everything you do, then rifling through your bookshelf to make note of certain books on the bookshelf, and then using that to target ads at you.

      You'd say that's a ridiculous and illegal thing to do without you explicit consent, right?

      Maybe you personally don't mind and would be happy to offer that consent. But they're doing it without your consent, regardless of whether you want it or not.

    • buellerbueller

      today at 5:10 PM

      It's not just about ads. The same data and tech is also about locking you up and identifying you for deportation you if this admin thinks you are in the USA without permission.

      • gwerbin

        today at 7:11 PM

        And laundering responsibility. If the government uses a contractor to identify deportation candidates using this data, and they get it wrong, the government can at least try to shrug it off and blame the contractor, whose job is in part to absorb public outrage for these sorts of things. Whereas if the FBI wiretaps you and still gets it wrong, it's a lot harder to deflect blame.

    • franktankbank

      today at 4:26 PM

      What if someone makes an ad thats not an ad at all, maybe its a rabbithole designed to fuck with you. Maybe its designed to enrage you.

• egorfine

  today at 2:03 PM

  > this is a massive violation of trust

  This is not. To violate trust, there should have been some.

  • chii

    today at 2:06 PM

    There's an implicit trust that a site doesn't try to racially profile you, as it is illegal. There's no enforcement, but that's why trust is being violated.

    • hedora

      today at 2:42 PM

      It's probably not illegal for advertisers to racially profile you, but it certainly is illegal in the US to do those things as part of your hiring process:

      https://www.eeoc.gov/prohibited-employment-policiespractices

      LinkedIn's scanning for browser extensions used by protected groups allows them to provide illegal services to US-based recruiters. I have no idea if they actually do it or not, and am not a lawyer, but common sense suggests there's enough here for a class action suit to move into discovery.

• einpoklum

  today at 2:06 PM

  If you mean by the website, then - surely not. What basis do you have to trust websites you visit? Especially a social network that owned by Microsoft to boot?

  If you mean the _browser_, then I agree in principle, but - it is a browser offered to you by Alphabet. And they are known to mass surveillance and use of personal information for all sorts of purposes, including passing copies to the US intelligence agencies.

  But of course, this is what's promoted and suggested to people and installed by default on their phones, so even if it's Google/Alphabet, they should be pressured/coerced into respecting your privacy.

• bethekidyouwant

  today at 1:57 PM

  It scans thousands so in thousands, some of them have these weird names

• cbeach

  today at 3:25 PM

  [flagged]

  • calgarymicro

    today at 3:33 PM

    No, they mean Anti-Zionist Tag[0], an extension that is live on the Chrome Web Store and identifies anti-Zionists for the benefit of Zionists.

    [0]https://chromewebstore.google.com/detail/anti-zionist-tag/ek...

    • cbeach

      today at 3:48 PM

      [flagged]

There is no reason to trust any big tech company. Folks should be using containers in their browser if they care about privacy. I previously published a LinkedIn container extension for FireFox: https://addons.mozilla.org/en-US/firefox/addon/linkedin-cont... although as many know you can achieve the same results with Firefox containers without a specific extension like mine if you configure it manually.

I will work on an improvement to that extension so that it can block these scans if they attempt them in firefox.

>the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch)

Why should a website be able to scan for extensions at all?

Or if there's a legitimate need (like linkedin.com wants to see if you installed the linkedin extension), leave it up to the extension to decide if it wants to reveal itself. The extension can register a list of URL patterns it will reveal itself to. So the linkedin extension might reveal itself only to *.linkedin.com, a language translation extension might reveal itself to everyone, and an adblocker extension might not choose to reveal itself to anyone.

• black3r

  today at 6:04 PM

  that's basically how it already works...

  extensions choose on which site they're active and if they provide any available assets (e.g. some extensions modify CSS of the website by injecting their CSS, so that asset is public and then any website where the extension is active can call fetch("chrome-extension://<extension_id>/whatever/file/needed.css" if it knows the extension ID (fixed for each extension) and the file path to such asset... if the fetch result is 404, it can assume the extension is not installed, if the result is 200 it can assume the extension is installed.

  This is what LinkedIn is doing... they have their own database of extension IDs and a known working file path, and they are just calling these fetches... they have been doing it for years, I've noticed it a few years back when I was developing a chrome extension which also worked with LinkedIn, but back then it was less than 100 extensions scanned, so I just assumed they want to detect specific extensions which break their site or their terms of use... now it's apparently 6000+ extensions...

All I'm seeing is that Chrome apparently is failing to properly sandbox websites against extension fingerprinting.

Sure, this can be solved at the legal layer, but in this case, there seems to be a much simpler and more effective technical solution, so why not pursue that instead?

• streetfighter64

  today at 2:53 PM

  Well, the developers of Chrome aren't exactly incentivized to prevent tracking (though perhaps tracking done by their competitors). But anyway, you can try to prevent it with a technical solution while also being outraged that they did it. If someone has their home broken into, perhaps they should have better locks, but the burglar is still responsible for their actions.

Fwiw... I now run personal and professional browser profiles from two different jails / cgroups. It's a pain in the arse to set up, and I have to verify my config still works after every update, but I get a good feeling knowing my personal chocolate is not mixing in with my professional peanut butter.

I set up the cgroups hack so I could route traffic from a dev profile into a VPS vpn, and may not be that useful for everyone.

But I think this is a reminder that you may want to have at least two profiles: one public and the other private. Do you really want Microsoft to know you installed the "Otaku Neko StarBlazers Tru-Fen Extendomatic" package to change every picture of a current political figure to an image from the cast of Space Battleship Yamato?

• flat-like-paper

  today at 5:52 PM

  I... I searched for this extension.

• fsflover

  today at 5:58 PM

  > I now run personal and professional browser profiles from two different jails / cgroups. It's a pain in the arse to set up, and I have to verify my config still works after every update

  You may be interested in Qubes OS. My daily driver. Can't recommend it enough.

the part about scanning for 509 job search extensions is especially nasty. imagine getting flagged to your employer because linkedin detected you had a job board extension installed.

• al_borland

  today at 1:52 PM

  Several years ago I heard the company I worked for say they had a way to get notified if it seemed like an employee might be thinking of leaving, so they could take some kind of action. I now wonder if LinkedIn, or various job sites, were selling them data.

  • nico

    today at 4:55 PM

    LinkedIn might not need to sell the data. You can set your profile to “open for work” privately, and only recruiters can see it. So if your company has people with LinkedIn recruiter accounts, they could see your profile set to looking for work

    PS: I guess given that recruiter accounts are paid, LinkedIn is technically selling access to the data in a way

• kjkjadksj

  today at 3:35 PM

  It is pretty easy to signal stuff on linkedin without intending to do so. For example whenever I get an old coworker adding me on linkedin, they are 100% of the time job seeking. Inevitably they start a new role some weeks later.

  All one has to do is just measure employees linkedin activity. I mean truthfully people don’t use the site at all if they aren’t actively looking for work. It is corporate dystopia otherwise. It is trivial to find these signals.

• Ajedi32

  today at 1:38 PM

  LinkedIn is a job board so that seems unlikely.

  • mikkupikku

    today at 1:40 PM

    Are you kidding? They've probably been selling a datastream of who in the company has been job searching to company HR departments the whole time. Search for a job on LinkedIn and I bet anybody with a paid corporate account can find that out if they care to.

    • keeda

      today at 6:51 PM

      LinkedIn actually sued HiQ Labs, which scraped LinkedIn to do exactly this (and this extensions scanning is likely a defense mechanism against similar attacks):

      https://epic.org/documents/linkedin-corp-v-hiq-labs-inc/

      > HiQ has created two specific data products targeted at employers: (1) “Keeper,” which informs employers which of their employees are at “risk” of being recruited by competitors; and...

      My hunch is that HiQ simply looked for spikes in activity on LinkedIn as a signal for a job hunt: https://news.ycombinator.com/item?id=47566893

      In any case, this lawsuit was discussed a few times on HN at the time, and IIRC there were a fair bit of support for allowing free scraping of "public information." Interesting how the sentiment here has turned these days...

    • Ikatza

      today at 3:29 PM

      If they have been doing that, they haven't offered it to me, which seems weird since I'm their ICP.

      The simpler explanation is that they aren't doing that.

    • whimsicalism

      today at 4:34 PM

      why is everyone online so incorrectly conspiratorial-minded nowadays? and no, there are not just way more conspiracies nowadays

      • mikkupikku

        today at 6:03 PM

        Why give corps like Microsoft the benefit of the doubt, when you'll be right more often than not by accusing them of anything underhanded?

  • bdangubic

    today at 1:40 PM

    LinkedIn is a job board as much as Facebook is picture-sharing website

    • debesyla

      today at 2:28 PM

      Not in Lithuania. While it's not the No1 or 2,3 platform for job advertisements, it's still very popular, especially for IT and management jobs.

      So this probably depends on the country.

      • bdangubic

        today at 2:49 PM

        Sorry, I meant more like vast majority of people daily on LinkedIn are not there cause they are unemployed and looking for work

this morn while trying to decipher why computer was at 98% memory and 65% cpu

one of the culprits is https://li.protechts.net taking 2GB ram and 8% cpu.

DDG searches say this is something for linkedin. - I had two tabs for linkedin open but left behind as I opened other tabs to research.

So I had not reopened these tabs in over 9 hours and they are still just humming along sucking down almost 10% of cpu and a couple gigs of ram for what?

This is firefox with ublock origin - quick searches saw malwarebytes browser guard considered it (protechts.net) malware for a bit and then took it off the list of things it blocked / warned about.

Not sure this is related to the scan mentioned, but it may be related to the overall concerns about data and unknown usage of resources.

I'm considering blocking this at the dns hosts level at this point.

Separate question, why isn't this kind of stuff something the browser restricts access to or puts behind an approval gate to the end user?

• silverwind

  today at 4:38 PM

  https://support.mozilla.org/en-US/kb/resist-fingerprinting works.

• kjkjadksj

  today at 3:36 PM

  Chrome is adware.

why would the browser ever expose extensions api to a web page. does firefox does this as well?

• ceejayoz

  today at 1:40 PM

  The "The Attack: How it works" section explains how it works. It's not an API.

  I am a little surprised something like CORS doesn't apply to it, though.

  • acorn221

    today at 1:48 PM

    So these extensions allow linkedin to do this though, it's literally them saying "yes, this site can ping this resource" - called "web_accessible_resources".

    This is fair from Linkedin IMO as I've seen loads of different extensions actually scraping the linkedin session tokens or content on linkedin.

    • entropyneur

      today at 4:56 PM

      It's not the extension developer who should decide this, but the browser user.

• Panda4

  today at 1:43 PM

  > Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions.

  It's not clear though, either they only tested against chrome-based browsers or Firefox isn't enabling them to do so.

  edit: I answered before I go fully through the article but it does say it's only Chrome based.

  > The extension scan runs only in Chrome-based browsers. The isUserAgentChrome() function checks for “Chrome” in the user agent string. The isBrowser() function excludes server-side rendering environments. If either check fails, the scan does not execute.

  > This means every user visiting LinkedIn with Chrome, Edge, Brave, Opera, Arc, or any other Chromium-based browser is subject to the scan.

  • OoooooooO

    today at 1:51 PM

    Firefox uses UUID for the local extension url per extension so you can't search for hardcoded local urls.

  • dylan604

    today at 1:50 PM

    What is a Chrome-based browser? Isn't Chrome Google's Chromium based browser? How many are based on Chrome?

    • Panda4

      today at 2:13 PM

      > This means every user visiting LinkedIn with Chrome, Edge, Brave, Opera, Arc, or any other Chromium-based browser is subject to the scan.

      • dylan604

        today at 3:29 PM

        Exactly, so again, what is a Chrome-based browser?

        • Sohcahtoa82

          today at 4:51 PM

          A lot of people mistakenly refer to Chromium-based browsers as being Chrome-based.

          I feel like this is obvious and you know that this is the exact mistake being made, but rather than drop an actual correction, you take the insufferable approach of pretending you don't know what's happening and forming the correction as a question.

          • JumpCrisscross

            today at 5:28 PM

            > A lot of people mistakenly refer to Chromium-based browsers as being Chrome-based

            This seems to be a case where the poison seeps through the cracks. From Google and Chrome to other Chromium-based browsers. In very correct ways, in this case, they are Chrome based.

    • andersonpico

      today at 2:07 PM

      From "The Attack: How it works", its just checking the user agent string:

      function a() { return "undefined" != typeof window && window && "node" !== window.appEnvironment; }

      function s() { return window?.navigator?.userAgent?.indexOf("Chrome") > -1; }

      if (!a() || !s()) return;

• thom

  today at 1:45 PM

  I was under the impression Firefox randomises extension IDs on install, so hopefully not?

• hedora

  today at 2:45 PM

  The answer to "why would Chrome ever undermine privacy and security?" is always "Google's revenue stream".

  I'm happy to see that this doesn't hit firefox. I wonder if safari is impacted.

• Raed667

  today at 1:54 PM

  they seem to be calling `chrome-extension://.....` so i don't think it applies to firefox

The “how it works” page suggests it only works on chrome based browsers. Anyone able to determine if firefox or safari are affected too?

• pamcake

  today at 1:50 PM

  Firefox-based browsers not affected.

  • nottorp

    today at 2:12 PM

    Hmm I opened linkedin in Firefox and ublock origin showed it blocked 4 items... then switched away and back and the counter was up to 12.

    Is that enough blocking, I wonder?

    • tankenmate

      today at 2:38 PM

      Firefox uses randomised IDs for installed extensions, so the method highlighted won't work on Firefox. That's not to say they aren't trying other methods on Firefox.

• RunningDroid

  today at 1:50 PM

  > The “how it works” page suggests it only works on chrome based browsers. Anyone able to determine if firefox or safari are affected too?

  The code filters out non-chrome browsers: >The extension scan runs only in Chrome-based browsers. The isUserAgentChrome() function checks for “Chrome” in the user agent string. The isBrowser() function excludes server-side rendering environments. If either check fails, the scan does not execute.

https://browsergate.eu/extensions/

It seems to not scan for Privacy Badger and uBlock Origin, two extensions I rely on. That's...surprising.

• x0x0

  today at 3:34 PM

  Because what they're scanning for is scrapers. So much linkedin scraping. And I'd bet that the majority of the innocuous-looking extensions are scrapers hidden as other extensions to get users to unknowingly use them.

It will sound like finessing on details, but details are important in these kind of claims, and this seems incorrect

> Microsoft has 33,000 employees and a $15 billion legal budget

Microsoft has more than 220k employees (it's hard to follow with all the layoffs), and the G&A in which bankrolls legal expenses (but not only - it also contains basically every employee who's not engineering or sales) was only 7B in 2025 - so legal budget is much lower than that.

LinkedIn has been a weirdest social network for a long time.

https://hn.algolia.com/?q=linkedin+weird

• theandrewbailey

  today at 2:21 PM

  What scanning for browser extensions taught me about B2B sales

Read this:

> Every time any of LinkedIn’s one billion users visits linkedin.com, hidden code searches their computer for installed software, collects the results, and transmits them to LinkedIn’s servers

And thought, "no way in hell this gets by Safari."

And then, under "The Attack: How it Works":

> Every time you open LinkedIn in a Chrome-based browser

Shocker. If you use a Chromium-based browser, you should expect to be trading away your privacy, IME.

I remember the LinkedIn app that got all your contacts from your phone and tried to add them to your network. I had random people from internet-deals (local craigslist) that where popping up. So strange that this was allowed.

Can't be said enough: Stop using Chrome.

• padjo

  today at 5:19 PM

  Also: stop installing random extensions

  • aerhardt

    today at 6:49 PM

    A lot of extensions on LinkedIn are necessary because of their total lack of innovation. You really cannot do anything in B2B sales or recruiting with only LinkedIn tools. These are not random extensions, but crucial extensions literally saving billions of dollars in wasted time or creating massive opportunities in the global economy.

Wish they'd add a little more to what end-users can do about it like switch to a non chrome-based browser.

• ChrisMarshallNY

  today at 4:23 PM

  It's a call for funding. I suspect the answer they want, is click on a donation link; regardless of which browser you're using.

I wonder how much of this is also used for audience segmentation for their advertisements? Linkedin ads are some of the most expensive out of any social media platform, but they also tend to have the highest conversion since you can get pretty niche with your targeting.

What's an optimistic future for Web fingerprinting? Currently, a website's ability to fingerprint the browser, the device, and the user is absolutely ridiculous.

Here's a quick look at only the static things a website can fingerprint https://www.browserscan.net/.

How a web site can search one's computer?

• RajT88

  today at 1:40 PM

  TFA explains it is looking for installed browser extensions (which sites are allowed to do)

  • hedora

    today at 2:50 PM

    "allowed" by the web browser, but almost certainly not by the end user. The law is pretty clear on this in the US:

    > 'the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter;'

    The problem, of course, is that by clicking on a LinkedIn link, you agree to a non-negotiated contract that can change at any time, and that you have never seen. If that weren't allowed, then this sort of crap would correctly be considered "unauthorized access":

    https://www.law.cornell.edu/uscode/text/18/1030

  • cedilla

    today at 1:46 PM

    Allowed to do? Not prevented from by technical measures, but certainly not allowed to do.

    Considering the goal is to identify people, this is undeniably PII. As the article demonstrates, it also pertains sensitive information.

  • Someone

    today at 1:46 PM

    https://browsergate.eu/how-it-works/: “Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions”

    ⇒ which Chrome allows sites to do.

  • mrgoldenbrown

    today at 2:13 PM

    TFA goes into a lot of detail explaining why they "allegedly" aren't actually allowed to do so in the EU.

  • cwillu

    today at 1:47 PM

    Well, they're able to do it; “allowed” to do it is an ambiguous enough phrasing that it's practically begging to have an argument whose crux is fundamentally about a differing interpretation.

    • RajT88

      today at 1:58 PM

      The author suggests a legal remedy instead of a technical one.

      Which is weird, because that is undeniably the hard way. Lobby Google to add protections to Chromium.

      • cwillu

        today at 3:14 PM

        Putting bars on the windows is fine, but the bad actors still need to be punished.

  • stefanka

    today at 3:36 PM

    Can you build a version of chromium where this will just return false always?

• breppp

  today at 1:57 PM

  it can in the fantasy world of incorrect headlines

• esseph

  today at 1:51 PM

  While you're at it, you should also find out why a website can scan your internal network...

• crest

  today at 1:41 PM

  The title is clickbaity. The website scans the browser for installed extensions.

This website was difficult to follow but I found that this page https://browsergate.eu/extensions/ was the most helpful to understand what they were talking about

Essentially, they are labelling you, like most do, but against some interesting profiles given the kinds of extensions they are scanning for

The most obvious reason for this is browser fingerprinting, right? So your visits to other websites can be linked to your Linkedin identity? Or no?

• glenstein

  today at 1:53 PM

  They also try to profile for things like political beliefs.

  • Someone

    today at 2:11 PM

    I don’t see this article showing that. They query for extensions that could be used to do that, and that likely already is illegal, but those queries could solely be used to uniquely identify users (grabbing more bits makes it less likely to get collisions)

    • hedora

      today at 2:50 PM

      The list of queried extensions includes things that would be used by particular religious groups, and people with certain medical conditions.

      • ziml77

        today at 4:30 PM

        Those being in the list doesn't mean that's what they're looking for. Take a look at the database of extensions, there's far more extensions that don't seem limited to any particular group. The author just called those out specifically because they're perfect for implying nefarious intent.

        • JumpCrisscross

          today at 5:31 PM

          > doesn't mean that's what they're looking for

          It does suggest that’s what they’re collecting. That is per se a violation in many jurisdictions. It should trigger investigations in most others to ensure it wasn’t mis-used.

      • Someone

        today at 3:35 PM

        The claim I replied to is “They try to profile for things like political beliefs”.

        I wasn’t contesting that they query extensions that can be used for that purpose, or that they use query results for that purpose, but indicated that the fact that they make such queries doesn’t necessarily imply that they try to do such profiling.

    • glenstein

      today at 3:27 PM

      From the "Why It's Illegal" section:

      >Political opinions

      >LinkedIn scans for Anti-woke (“The anti-wokeness extension. Shows warnings about woke companies”), Anti-Zionist Tag (“Adds a tag to the LinkedIn profiles of Anti-Zionists”), Vote With Your Money (“showing political contributions from executives and employees”), No more Musk (“Hides digital noise related to Elon Musk,” 19 users), Political Circus (“Politician to Clown AI Filter,” 7 users), LinkedIn Political Content Blocker, and NoPolitiLinked.

      >Each of these extensions reveals a political position. If LinkedIn detects any of them, it has collected data revealing that person’s political opinions. Article 9 prohibits this.

• whimsicalism

  today at 4:37 PM

  no, it's about scraping.

I want to know what power I have as just some guy to do anything about this? (even if just for myself)

I ask because it seems like every job I apply to asks for a linkedin profile, and I've heard floating around that if it's not filled in enough most employers assume you're a bot. Heck, one of the forms from the "who's hiring" thread yesterday straight up said if you have < 100 connections they'd throw out your application. So, in order to get my foot in the door, I need to hand over vast and intricate data about my personal life to a third party?

• OkayPhysicist

  today at 3:54 PM

  For you personally, to solve this issue in particular? Use Firefox. Google is evil, and there's a good chunk of the Chrome team who are actively enemy combatants.

  For the broader issue of not wanting to give even the information you'd need to choose to share to LinkedIn? Network the good ol' fashioned way: talking to random strangers in San Francisco bars.

  • JumpCrisscross

    today at 5:30 PM

    > there's a good chunk of the Chrome team who are actively enemy combatants

    Uh what.

    • OkayPhysicist

      today at 6:24 PM

      Everyone involved in Chrome's most questionable decisions such as Manifest V3's anti-adblocking, the Topics API, etc, are not just working orthogonal to the people's interest, they are directly working against it. I couched my statement down from the entirety of the Chrome team because I hesitate to label "making constant, marginal feature additions that ultimately result in anti competitive behavior" openly malicious.

      Everyone from the suit that made the ultimate calls down to the lowest code monkey who bugfixed such features are responsible for their choice to target the good, common user of the internet. I'm not asking for altruism, I just think people shouldn't choose to do evil, and that those who do anyway should be recognized as such.

• solarkraft

  today at 3:49 PM

  This is why the EU regulates them (or pretends to) as a public utility. The individual action I took was to donate to Fairlinks‘ legal fund.

• nojvek

  today at 3:50 PM

  I’d suggest having an adblocker first.

  Second not having a ton of extensions. Extensions can do fishy things.

  This is Chrome’s broken model. Before installing an extension, one should be able to see all the domains an extension talks to.

  The domains should be listed in manifest. But that’s not how it works.

  In Android, every app you open needs a gazillion default permissions.

> Every time you open LinkedIn in a Chrome[actually Chromium]-based browser

There's a reason I continue to use Firefox (with uBlock Origin) and will never switch.

Also, when I got laid off from a previous job, I made a LinkedIn profile to help find a new job. Once I found a new job, I haven't logged into LinkedIn since - that was almost 2 years ago.

Enumerated a full list.

https://git.gay/SiteRelEnby/browsergate-list

https://git.gay/SiteRelEnby/browsergate-list/src/branch/main...

• SiteRelEnby

  today at 4:47 PM

  Some of the spiciest:

  * Anti-Zionist Tag (directly inferring political opinion)

  * PordaAI (Islamic content filter)

  * simplify (browsergate.eu specifically called out as a neurodivergent accessibility tool. Job search autofill that markets itself as particularly useful for people who struggle with forms)

  * No more Musk ("Hides digital noise related to Elon Musk")

  * Political Circus ("Politician -> Clown AI Filter")

  * Job application trackers and utils ("Job Follow-Up Tracker" etc)

  * Various "Distraction Blocker" type addons

  LinkedIn scanning for tools that scrape LinkedIn:

  * LinkedIn Cookie Sync for Headhunting Agent

  * LinkedIn Cookie importer for Derrick (lol "for Derrick")

  * MailMatics Cookie Grabber

  * LinkedIn Fake Job Post Detector. Yes, they're detecting an addon that exposes fake job postings on their own platform.

  *NOT* in the list, if you were wondering:

  * Shinigami Eyes

  * Dark Reader

  * Adblockers

  * Password managers

  * FoxyProxy

  * User-Agent spoofers, request modification tools, etc

  * Most privacy/security tools (no uBO, no Privacy Badger, no FoxyProxy, no NoScript, etc.

  For the latter category, the most interesting things there we found *were* searched-for are BuiltWith Technology Profiler, and some browser addons bundled from scanners (e.g. "Malwarebytes Browser Guard Beta").

  • pbiggar

    today at 5:02 PM

    The Anti-Zionist tag is interesting. It seems that it's actually an extension that would be used by Zionists, as it identifies anti-zionists, and the wording incorrectly claims that anti-Zionism is hate speech (whereas it is in fact Zionism that is hate-based ideology).

    A lot of Zionists claim -- incorrectly -- that all Jews as Zionists. But certainly the major groups of Zionists are Christian zionists and Jewish Zionists. I would say there is a very very high chance that if you use the Anti-zionist Tag Chrome extension, that you are Jewish.

    So it seems quite likely that Linkedin is actually tracking Jews with this.

I'm certain that if LinkedIn were confronted, that they could produce a response that says they are covered by the TOS you had to agree to in order to use the site. I don't have time to spend scanning legalease. Or make use of LinkedIn. If my system is being scanned, they'll see that I'm using a legitimate licensed copy of Windows 7 on a MODERN computer. If anything is at fault, it includes web browsers that Identify themselves to web sites.

I don't like any of this, but I'm not totally clear how this is substantially different from other fingerprinting technologies which I assume are used by every large tech company. Could anyone elaborate? The post isn't very clear why this is different from other data surveillance.

• cedilla

  today at 1:43 PM

  If other people collect data like that it's probably also illegal.

• arafeq

  today at 2:43 PM

  the difference is intent. regular fingerprinting identifies your browser for ad tracking. linkedin is scanning for 509 specific extensions including job search tools, and they sell recruiter products to your employer. that's not fingerprinting, that's workplace surveillance with extra steps.

Oh boy, they stand to lose dozens of users over this! DOZENS!

Interesting. I didn't know a extension’s web-accessible resource (e.g. chrome-extension://<id>/...) could be abused to learn about the user's installed extensions by checking whether it resolves or not.

• davidmurdoch

  today at 1:46 PM

  You would need to use use_dynamic_url: true in the manifest to create a unique one.

  • acorn221

    today at 1:49 PM

    Yeah, this is the easiest way to get around it

  • philipwhiuk

    today at 2:13 PM

    Or just not allow them to load the URIs at all

Is there a way to disable the ability for websites to scan for extensions in Chrome?

• xoxxala

  today at 1:56 PM

  https://www.firefox.com/

• today at 3:47 PM

• dev1ycan

  today at 2:05 PM

  Nope, which is why Chrome exists, to allow Google to do this. Which is why you should avoid chromium.

"searching your computer" -> using standard web fingerprinting techniques. They don't actually get to read your home directory, and the authors should be honest about this!

That's on brand. I remember their phone app asking for contacts permission and just taking them all and uploading them to their server.

How is it even possible that we've reached a point where "yes, this is obvious and pretty unsurprising" is the default response to spying on an industrial scale.

LinkedIn also violates SPAM regulations on a regular basis. Despite of me having disabled all emails from this service I consistently receive promotional emails. LinkedIn defines a new "type of promotional email" for which it assumes it has implicit consent to send unsolicited emails and proceeds to do so. It then has a fake compliance apparatus by allowing the victim to once again "unsubscribe" from the newly created email subscription which they never consented to on the first place. I really hope there is a class action and these scumbags get fined.

AFAIK it can be fined with up to 4% of revenue in the EU.

How much is that currently? $600M?

This title should be changed as no court found this is illegal, and this is pretty standard, if extensive, browser fingerprinting, however disagreeable it is

• caminante

  today at 2:26 PM

  I agree.

  I'm not convinced by their page explaining "Why it's illegal and potentially criminal" [0]. It's written by security researchers and non-attorneys.

  For example, this characterization seems overly broad:

  > The Court of Justice of the European Union has ruled, in three separate cases, that data which allows someone to infer or deduce protected characteristics is covered by this prohibition, regardless of whether the company intended to collect sensitive data.

  [0] https://browsergate.eu/why-its-illegal/

Go check out QueryAllPackages permission on Android and see which of your apps can scan and know about all the other apps on your Phone. Thanks Google!

• gib444

  today at 2:49 PM

  All apps can do that right

I alway use LinkedIn and Meta websites in a different browser altogether.

I hope browsers in the future will need to ask for permission before doing any of that.

• dt3ft

  today at 1:56 PM

  If you use both from the same IP without using a VPN… the profiles are most certainly grouped. There are commercial datasets on IP addresses with almost 100% accuracy with tags like “school”, “house”, “apartment block” etc. Furthermore, if you ever logged into both sites from within the same browser by accident, the link by fingerprinting was made right there and then. The final profile on you may not be 100% accurate, but certainly is in the 98% range.

  • gwerbin

    today at 1:59 PM

    It's one thing if they have a shadow profile on you (and dozens of companies almost certainly do), but it's another thing if you give them meaningful info about you to enrich that profile with. They can figure out roughly what block you live on, OK fine, but unless you're in a rural area with no neighbors they might not be able to do much better than that.

    • alt227

      today at 5:45 PM

      > They can figure out roughly what block you live on

      Its nothing to do with the specific house you live in, and everything to do with the activity being grouped together with all other activity you have done, which they know from fingerprinting and IP addresses.

      They dont need to know where you live to have a very accurate personal and psychological profile opn you, and switching browsers is not going to help that in the slightest Im afraid.

      • gwerbin

        today at 7:09 PM

        Yes and no. If you block Linkedin SDK scripts on 3rd party sites, it's likely that Linkedin specifically doesn't actually have a good profile on you.

        Realistically you're probably exposed and identified. But if you're meticulous and careful, you might not be, or at least not as completely as someone who is unaware or not careful. But it's not at all the same as if, say, a state actor was motivated to spy on you specifically.

I removed my LinkedIn premium subscription because of this. It was always very suspicious and expensive so they were already on thin ice. This is unacceptable and LinkedIn crossed the line with yet another fascist social media platform.

They only mention this being a potential violation of the DMA. How about north american countries? US and Canada?

• today at 1:32 PM

• hedora

  today at 2:54 PM

  Since the list of extensions they query targets certain religious groups and medical conditions, it's almost certainly in violation of US federal employment and hiring law.

Not mine. And why do we say LinkedIn, it is just Microsoft, just like Github is Microsoft and a whole raft of other companies are just Microsoft in a trenchcoat.

Yep, LinkedIn is cancer.

2020 - LinkedIn Sued For Spying on Clipboard Data After iOS 14 Exposes Its App:

https://wccftech.com/linkedin-sued-for-spying-on-clipboard-d...

2013 - LinkedIn MITM attacks your iPhone to read your mail:

https://www.troyhunt.com/disassembling-privacy-implications-...

2012/2016 - Data breach of 164.6 million accounts:

https://haveibeenpwned.com/breach/LinkedIn

According to haveibeenpwned.com, my email & password were leaked in both the 'May 2012' and 'April 2021' LinkedIn incidents.

• tombert

  today at 5:53 PM

  I'm shocked, shocked to find that a Microsoft product will actively do a bunch of horrible invasive stuff while simultaneously not caring about security of this private data.

6 months ago I already posted about this

https://news.ycombinator.com/item?id=45349476

• EdNutting

  today at 2:41 PM

  If you hadn’t written that post using AI, it might’ve received more attention. Also, (1) if you’d put LinkedIn in the title, rather than the very bottom of the post, and (2) if you’d provided any insight, rather than just speculation, as to what the data might be being used for.

I run MalwareBytes on all my browsers and as my computer protection system.

LinkedIn is getting nothing.

• alt227

  today at 4:31 PM

  Lol, you forgot the /s

Bait, just look at browser addons, millons of site do it as well

• badgersnake

  today at 2:23 PM

  Therefore it’s okay, is that your point? Because I don’t think it is.

seems like clickbaiting, browser can't 'scan' your computer...

> The headline seems pretty misleading.

No it isn't. Performing fingerprinting on user's devices, to ultimately profit of financially or worse is misleading. Especially doing this while knowing the user isn't aware what this really means and just deciding it for them.

The headline is just an exaggerated way of saying what is really happening.

Is there evidence that they use that information for anything other than browser fingerprinting or fraud detection?

That seems like the most obvious use case? Or maybe I missed something in the write up.

• kibwen

  today at 4:50 PM

  We can hypothesize that there may exist some for-profit companies that deserve the benefit of the doubt. Microsoft is not one of them.

i dont like that i pay them $79 a month for them to scrape my extensions

I don’t understand how browser security would allow linkedin to search my computer?

LinkedIn has been overtly evil for decades, and their power users are the most insufferable sort of middle management yuppy scum. I know job searching can be hard, but I don't go near LinkedIn with a ten foot pole.

• anon22981

  today at 1:39 PM

  I really like going to linkedin daily to play minisudoku and a couple of other puzzles, then never engage the feed or other features

  • jameskilton

    today at 1:41 PM

    Why would you go to LinkedIn to play puzzle games? There's thousands of other places to do so.

  • butlike

    today at 2:12 PM

    This is really delightfully quirky

Sounds like containers and potentially adblocking and js blocking prevent this. For my part, I use linked in on my "god dammnit I hate corporate websites so much" browser which is used only for medical bill pay and amazon / wal mart purchases and then monthly bills. Could LinkedIn get something from me there? Potentially, but they're also not really following me around the web. I think given this I'll go install a 3rd browser for linkedin only, or maybe finally just delete my account. It never got me a job and it's a cesspool.

• notafox

  today at 2:08 PM

  You can use Firefox with different profiles and configure it to launch particular profile directly, without launching default profile and using about:profiles.

  Firefox with a non-default profile can be created like that:

    ./firefox -CreateProfile "profile-name /home/user/.mozilla/firefox/profile-dir/"
    # For linkedin that would be:
    ./firefox -CreateProfile "linkedin /home/user/.mozilla/firefox/linkedin/"
  

  And you can launch it like that:

    ./firefox -profile "/home/user/.mozilla/firefox/profile-dir/"
    # For linkedin that would be:
    ./firefox -profile "/home/user/.mozilla/firefox/linkedin/"
  

  So, given that /usr/bin/firefox is just a shell script, you can

      - create a copy of it, say, /usr/bin/firefox-linkedin
      - adjust the relevant line, adding the -profile argument
  

  If you use an icon to run firefox (say, /usr/share/applications/firefox.desktop), you'll need to do copy/adjust line for the icon.

  Of course, "./firefox" from examples above should be replaced with the actual path to executable. For default installation of Firefox the path would be in /usr/bin/firefox script.

  So, you can have a separate profiles for something sensitive/invasive (linkedin, shops, etc.) and then you can have a separate profile for everything else.

  And each profile can have its own set of extensions.

Deleted my account. Fixed!

Directly on the landing page:

> Microsoft has 33,000 employees

this should probably be LinkedIn, not Microsoft.

LinkedIn is full of lunatics, does not surprise me at all.

This gave someone the opportunity to add in "Jeffery_Epstein_did_not_kill_himself" to linkedin's client facing code base through this. If you open dev tools -> network tab -> network search icon (magnifying glass) -> search for "epstein" and load up linkedin, you should see it for yourself too!

I really don't think they're "illegally" searching your computer, they're checking for sloppy extensions that let linkedin know they're there because of bad design.

The real story is what's going on behind the scenes. The charges are relatively flimsy (for the reason I mentioned in my other comment). But here's the cool thing: the site is basically taken from Microsoft's playbook. For years, they pretty transparently bankrolled shadowy, single-issue "grassroots advocacy" groups that went after their competitors under flimsy pretenses. These organizations attacked others but somehow never had an opinion about stuff like Windows Copilot.

This feels very similar, except now it's taking a swing at Microsoft. It's apparently paid for by some mysterious "trade association and advocacy group for commercial LinkedIn users" that runs out of a private PO box in a small German town - uh huh. I'm not going to feel bad for Microsoft, but I would love to read some investigative reporting down the line.

I run ad blockers and pihole, does that help?

It seems it scans your extensions not your system - reading the details. The intro made it a bit unclear.

• jwsteigerwalt

  today at 1:39 PM

  LinkedIn is far from the only actor doing this. Browser extension fingerprinting is not new. LinkedIn‘s size, scope, network effects make this especially concerning.

• Ajedi32

  today at 1:38 PM

  Still pretty annoying browsers haven't patched that yet.

  • acorn221

    today at 1:41 PM

    They have! It's these developers either not knowing or not caring about it which is the issue! I did a blog post about this a while back showing how they do it, and how you can get around it, it's not very complex for the devs.

    https://www.linkedin.com/pulse/how-linkedin-knows-which-chro...

    • victor106

      today at 2:14 PM

      > Chrome have fortunately recently released a "extension side panel" mode, and since only DOM changes can be easily identified, using the chrome extension side panel would be virtually un-detectable however this is far less intuitive to use and requires the user to perform some action to open the sidepanel every time they want to use the extension.

      As an end user I could not find an option to open the side panel

      • acorn221

        today at 3:26 PM

        Yeah I mean it's not very commonly used by extensions. I quite like it as it's completely isolated and not detectable. I built my first extension which uses it as the primary interface yesterday: https://github.com/Am-I-Being-Pwned/PGP-Tools

    • Ajedi32

      today at 1:49 PM

      `use_dynamic_url` seems like it should be enabled by default, maybe with a phase-out period for backwards compatibility with older extensions.

      • acorn221

        today at 1:57 PM

        Yeah I agree. All new extensions should have this for their web_accessible_resources.

        With that said, the chrome web store ecosystem has bigger problems infront of them. For example, loads of extensions outright just send every URL you visit (inc query params) over to their servers. Things like this just shouldn't happen, imagine you installed an extension from a few years back and you forgot about it, that's what happened to me with WhatRuns, which also scraped my AI chats.

        I'm working on a tool to let people scan their extensions (https://amibeingpwned.com/) and I've found some utterly outrageous vulnerabilities, widespread affiliate fraud and widespread tracking.

  • halapro

    today at 1:45 PM

    There's nothing to patch, scanning is not possible.

    It's either the extension's choice to become detectable ("externally_connectable" is off by default) or it makes unique changes to websites that allow for its detection.

    • Ajedi32

      today at 1:51 PM

      If it were just a matter of detecting changes to the DOM then this could only detect extensions that alter the LinkedIn website itself. I agree that would be much harder to make undetectable, but this seems like it goes beyond that.

      • halapro

        today at 2:40 PM

        As mentioned, there's a way to expose your extension to the web even without making changes. The other way is a key called "web_accessible_resources".

        All of these are opt-in by the extensions and MV3 actually force you to specify which domains can access your extension. So, again, each extension must explicitly allow the web to find it.

• cj

  today at 1:38 PM

  This has been going on for at least 5 years. It pops up on HN every so often.

• sgt

  today at 1:32 PM

  Seems like it. Which is serious but far from what I thought when I read the title. I suspect 90% of LinkedIn users don't even have a single browser extension installed.

  • josefritzishere

    today at 1:35 PM

    I would debate that. Most work computers have some extensions installed by default. That's millions of laptops. Ex. Snow Inventory Agent, ad blockers etc.

• choo-t

  today at 1:33 PM

  Pretty sure that if they could they would, but browsers sandboxing security prevent this to go unnoticed.

I hate the way they just started saying you have a new message when you really don't. Now I'm going to miss when I really have new messages for a while because I'm not going to go to that site anymore when they say that.

And not letting you read your messages when on your mobile phone unless you use their app is particularly mean. Considering again where they are sending all the information they scrape.

some of these things are just an effect of using chromium browsers.

use safari or Firefox. and chrome only for incognito web app testing.

Amazing work, but it’s not surprising, I think anyone in cybersec space knows that LinkedIn is the number one source of information when it comes to track or ID someone, and I don’t mean just OSINT given the real data you have, but also three letters agencies love it, it’s a gold mine, wasn’t the silkroad owner was busted because of the same personal email used on LinkedIn? So yeah, delete it, never use it, it’s full of corporate cringy nonsense anyway

linkedin is full of dark patterns, it's really unfortunate it became the business default, all other social platforms get more criticism while being only a fraction as bad

I can't say I needed yet another reason to hate the current state of LinkedIn, but I am not surprised in the slightest.

Despite the misleading headline, I really don't understand why anyone uses linkedin, there will inevitably be a trailing rely of comments claiming it has some irreplaceable value in professional networking, but I don't buy it. Nobody I've ever talked to has been able to articulate any actual value provided by "connecting" to another person on a social networking site. If you want to build professional connections go to lunch, join community calls, attend professional events, and go to conferences.

The fact that every job application wants a link to my profile on a platform that tries to push "brain training puzzle and games" on me just makes me angry every single time. I really hate LinkedIn and my active rebellion against it is hurting my ability to find a new job.

I know there has been other LinkedIn hate on HN this week. I know they have some good tools for job searching and hiring. I still wish we as a society could move on and leave this one with MySpace.

This is https://news.ycombinator.com/item?id=46904361, right?

Chrome: lets website scan what extensions you have installed for some reason.

This is result of browser fingerprinting.

My guess, Linkedin is used for years as source of valuable information for phishing/spear-phishing.

Maybe their motive is really spying. But more important for them is to fight against people botting Linkedin.

Imho, browser fingerprinting should be banned and EU should require browser companies to actively fight against it, not to help them (Fu Google)

I can’t take an article seriously that starts:

> Every time any of LinkedIn’s one billion users visits linkedin.com, hidden code searches their computer for installed software

and then proceeds not to explain how it’s doing that to me, a Safari user.

Because, spoiler: it isn’t. Or, it might try to search, and fail, and nothing will be collected.

• today at 1:57 PM

Deleted my LinkedIn account. Fixed.

The headline seems pretty misleading

Exactly how is it "illegal" to run code that exercises some aspect of the legitimate browser API surface? Are there functions marked as legal, and others marked as illegal?

This is true/valid in many ways, but the signs of significant AI gen are pretty obvious. And now I wonder how much of the overblown narrative is here.

This reminds me of the slop bug reports plaguing the curl project.

Just use Safari, it won't even load the page half the time.

Browsers almost need a firewall against websites for the functions and scans being run on it by websites.

Different browsers have various settings available, but do we have a little snitch for a web browser?

Reminder for windows control alt shift windows L

• today at 2:10 PM

Another good reason not to use extensions, and leave whatever they do for utility apps.

If they are genuinely only using the information to detect bad actors and maintain site stability as the affidavit states, and if they can prove it, this seems like potentially a non-issue?

I am not a lawyer, but site stability seems like a GDPR "Legitimate Interest" in my book anyway.

Typical microsoft

When Aaron Swartz does it, it is the threat of life in prison leading to suicide. When a multibillion dollar company does it, it is just capitalism.

HOLD EXECS LEGALLY ACCOUNTABLE, CRIMINALLY AND CIVILLY, FOR THE CRIMES OF THER CORPORATIONS.

>The user is never asked. Never told. LinkedIn’s privacy policy does not mention it.

OMG is literally every article written with LLMs these days I just can't anymore. It's all so tiring.

• an0malous

  today at 2:19 PM

  I get it — it can be frustrating to encounter so much low effort AI content these days. But I think it’s worth looking at the bright side here: the increase in our production of entropy from GPU consumption will hasten the heat death of the universe.

  Would you like me to suggest some AI summarizer tools you could use to more efficiently read AI generated content in the meantime?

  • nusl

    today at 2:39 PM

    Why don't we train LLMs on the entire internet every day? Then we don't even need to read anything. Reading is something people did in 2025

  • jijijijij

    today at 2:38 PM

    Nice try, but you em-dashed like a filthy human. The drone has been dispatched.

    • BrokenCogs

      today at 4:35 PM

      You're absolutely right!

    • sweetheart

      today at 3:05 PM

      the drone that gives hugs, right??? right????

      • jijijijij

        today at 3:23 PM

        Let me think about that...

        Yes. Resistance puts the possibility of hugs on the stool, so to speak.

  • throwawayq3423

    today at 4:40 PM

    > I get it —

    well done

• grub5000

  today at 2:01 PM

  This is incredibly normal language and quite close to how I would write this quote, so what makes you think this is LLM text?

  • dd8601fn

    today at 3:15 PM

    I've had the same thought pretty often, lately.

    I get it... I'm not a good writer. It just sucks that now people are going to assume the stuff I said isn't even me.

    I guess I always scored pretty low on the Turing test and never even knew it.

  • dwringer

    today at 5:32 PM

    The other replies have explained what's jumping out but I'd agree that without the other surrounding sentences of the article's introduction I'd be inclined to think that quoted sentence by itself might be human. The full text, however, doubles down on the AI-smelling constructions and IMHO almost certainly indicates some AI provenance.

  • cyral

    today at 4:31 PM

    It might be normal language but lets say maybe 5% of real human blog writers use short punchy phrases like that. The noticeable problem is now its 50% of blog posts because almost every single AI authored post uses the same phrasing, it's tiring knowing you are just reading ChatGPT output. Its usually part of a low-effort funnel to guide you to some product/service.

  • antonyt

    today at 4:41 PM

    Is it actually stylistically close to how you'd write it? If I reformulate your comment in slop style I'd do something like:

    The language is natural. Normal. Human. Who could question its authenticity?

    The original example isn't the worst offender, but even small offenders stick out when you can't escape seeing this kind of thing everywhere.

  • GavinMcG

    today at 2:34 PM

    It’s the fake drama. Punchy sentences. Contrast. And then? A banal payoff.

    • slfnflctd

      today at 3:47 PM

      Human journalists and marketing copy writers have been writing like this for at least 50 years, if not considerably longer.

      I am exhausted by so many people calling writing out as AI without sufficient proof other than writing style. Some things are more obvious, sure... maybe I'm just too stupid to see a lot of the rest of it? But so much of what gets called out seems incredibly familiar to me compared with traditional print media I've been reading my entire life.

      I'm starting to wonder if a lot of people just have poor literacy skills and are knee-jerk labeling anything that looks well written as AI.

      • fleebee

        today at 4:07 PM

        You're right that (some) marketing copy writers have been writing in this style for decades, but suddenly every second tech blogger has assumed the same voice in the past 2 years. Not everyone is as sensitive to it. I read this crap daily so I've developed an awareness and I'm confident in calling it out.

        I don't think I've personally seen a single false positive on HN. If anything, too much slop goes through uncontested.

        • cyral

          today at 4:34 PM

          > If anything, too much slop goes through uncontested.

          It's actually insane opening up /r/webdev and similar subreddits and seeing dozens of AI authored posts with 50+ comments and maybe a single person calling it out. Makes me feel crazy. It's not as much of a problem here, but there is absolutely a writing style that suddenly 50% of submissions are using. It's always to promote something and watching people fall for it over and over again is upsetting.

    • ocimbote

      today at 2:37 PM

      You're absolutely right.

    • kitsune1

      today at 3:25 PM

      [dead]

  • nojs

    today at 2:41 PM

    It’s 100% LLM text. HN really needs a button “flag as slop”.

• Arubis

  today at 2:15 PM

  Reading (and even more so, using the tools to produce) a bunch of LLM-output writing also affects one’s writing style. Ever sat down and blown through 3-4 books by a favorite author, then written something and found yourself using similar structure, word choice, style…? This could very well be a human author that’s been exposed to a lot of LLM output (ie 95% of this site’s audience).

  I find myself doing this a lot, and I’m sure even more slips without my notice.

• spopejoy

  today at 3:20 PM

  > It's all so tiring.

  What's tiring is a comment like this. If you don't like the article don't read it -- and don't comment.

  • BirAdam

    today at 3:53 PM

    One cannot make an accurate assessment of liking or disliking an article without having read the article.

  • kitsune1

    today at 3:27 PM

    [dead]

• jack_ball

  today at 2:21 PM

  I agree that that line reads GPT-like, but it's far from a conclusive tell. One option that I wonder about is if frequent interaction with AI will begin to influence people's organic writing style.

• hybrid_study

  today at 2:20 PM

  Who cares if it’s LLM written or assisted writing?

  What matters is the content!

• Biganon

  today at 4:20 PM

  Nothing in this sentence is evidence of AI.

  What's next? "There's punctuation in the sentence, must be AI" ?

• beejiu

  today at 2:20 PM

  LLMs didn't invent the "Rule of Three".

• ottah

  today at 2:10 PM

  How is that quote in any way demonstrative of this being written by LLM? You do know that LLMs were trained on the internet and every digitized text they could get their hands on? You are jumping at shadows, calm down already.

• blargh

  today at 2:07 PM

  what makes you think that? and what sets your comment appart from beeing created by an llm?

• ugh123

  today at 4:03 PM

  How can you tell?

• elestor

  today at 5:37 PM

  I don’t like AI slop as much as the next guy, but that part doesn’t seem so bad? Sounds like something anyone could write.

• nickvec

  today at 2:45 PM

  Ehh… this quote alone is pretty benign. If you didn’t mention it, I wouldn’t have even considered the possibility of AI.

• SecretDreams

  today at 1:55 PM

  That's the intention. Make the internet so unbelievably shit that you just accept and move on.

Why can't we have nice things?

• mentalgear

  today at 1:40 PM

  because corporate greed corrupts every nice thing: it pushes the other (maybe more moral) 'nice thing' alternatives out of the ecosystem by subsiding using VC funding to provide 'NiceThing!' for free until 'NiceThing!' is the monopoly or bought by another entity to become part of the monopoly (due to weak/not enforced antitrust laws).

• crest

  today at 1:39 PM

  Because we let them get away with it. Take something they're going to miss and can't replace (e.g. their freedom or their head) and it will stop as long as enforcement is reliable enough that they expect to get caught.

  These aren't good people, but if you make the fine to the organisation much more expensive than the expected return, lock up the whole board and leave their families without a pot to piss in we will see this become the exception instead of the norm.

• plagiarist

  today at 1:41 PM

  Unbounded capitalism.

[dead]

The only explanation of linkedin being worth 44B is the prominent appearance of both bill gates (who started spending a day a week at MS after nadella became ceo), and reid hoffman appear prominently in epstein files. The deal itself was finalized during Trump's first term. So everything checks out

[dead]

[dead]

[dead]

[flagged]

[dead]

[dead]

[dead]

[dead]

[dead]

[flagged]

• add-sub-mul-div

  today at 2:04 PM

  Maybe it's not and it's just badly written, but we've come to associate the two so strongly that we can't separate them.

[flagged]

The title is a complete nonsense.

• jb1991

  today at 1:43 PM

  So is this comment.

• acorn221

  today at 1:39 PM

  Yeah I agree

Nothing but click-bait.

Doesn't it depend how they're storing the data? If it's sufficiently transformed, it could be considered fair use.

• cwillu

  today at 1:49 PM

  Copyright isn't relevant here.

• largbae

  today at 1:48 PM

  For my curiosity what would the fair use be?

  • maplethorpe

    today at 2:34 PM

    Research.

• hosteur

  today at 5:20 PM

  No?

The proliferation of AI coding assistants is shifting the bottleneck from writing code to reviewing code. The developers who will thrive are those who develop strong code review instincts.