LinkedIn Faces Spying Allegations Over Browser Extension Scanning (pcmag.com)
- Reference: 0181393028
- News link: https://yro.slashdot.org/story/26/04/06/2227247/linkedin-faces-spying-allegations-over-browser-extension-scanning
- Source link: https://www.pcmag.com/news/linkedin-faces-spying-allegations-over-browser-extension-scanning
"The program runs silently, without any visible indicator to the user," the group says. "It does not ask for consent. It does not disclose what it is doing. It reports the results to LinkedIn's servers. This is not a one-time check. The scan runs on every page load, for every visitor." PCMag reports:
> This browser extension "fingerprinting" technique has been spotted before, but it was previously found to probe only [2]2,000 to [3]3,000 extensions . Fairlinked alleges that LinkedIn is now scanning for [4]6,222 extensions that could indicate a user's political opinions or religious views. For example, the extensions LinkedIn will [5]look for include one that flags companies as too "woke," one that can add an "anti-Zionist" tag to LinkedIn profiles, and two others that can block content forbidden under Islamic teachings.
>
> It would also be a cakewalk to tie the collected extension data to specific users, since LinkedIn operates as a vast professional social network that covers people's work history. Fairlinked's concern is that Microsoft and LinkedIn can allegedly use the data to identify which companies use competing products. "LinkedIn has already sent enforcement threats to users of third-party tools, using data obtained through this covert scanning to identify its targets," the group claims. However, LinkedIn claims that Fairlinked mischaracterizes a LinkedIn safeguard designed to prevent web scraping by browser extensions. "We do not use this data to infer sensitive information about members," the company says. "To protect the privacy of our members, their data, and to ensure site stability, we do look for extensions that scrape data without members' consent or otherwise violate LinkedIn's Terms of Service," LinkedIn adds.
>
> [...] The statement goes on to allege that Fairlinked is from a developer whose account was previously suspended for web scraping. One of the group's board members is listed as "S.Morell," which appears to be Steven Morell, the founder of Teamfluence, a tool that helps businesses monitor LinkedIn activity. [...] Still, the Microsoft-owned site is facing some blowback for not clearly disclosing the browser extension scanning in LinkedIn's [6]privacy policy . Fairlinked is [7]soliciting donations for a legal fund to take on Microsoft and is urging the public to encourage local regulators to intervene.
[1] https://www.pcmag.com/news/linkedin-faces-spying-allegations-over-browser-extension-scanning
[2] https://gist.github.com/jeremy-hyde/8a4db2280d3076ab99d958b83dccc1d2
[3] https://github.com/mdp/linkedin-extension-fingerprinting/tree/main
[4] https://browsergate.eu/extensions/
[5] https://browsergate.eu/how-it-works/
[6] https://www.linkedin.com/legal/privacy-policy
[7] https://browsergate.eu/take-action/
Follow the money (Score:2, Interesting)
> However, LinkedIn claims that Fairlinked mischaracterizes a LinkedIn safeguard designed to prevent web scraping by browser extensions. "We do not use this data to infer sensitive information about members," the company says.
S'truth. We pinky promise!!!
> The statement goes on to allege that Fairlinked is from a developer whose account was previously suspended for web scraping. One of the group's board members is listed as "S.Morell," which appears to be Steven Morell, the founder of Teamfluence, a tool that helps businesses monitor LinkedIn activity. [...] Still, the Microsoft-owned site is facing some blowback for not clearly disclosing the browser extension scanning in LinkedIn's privacy policy.
As we said in politics, the only time you can believe one politician is when he calls another politician a liar. Just because Fairlinked seems to be dirty, doesn't mean Linkedin is squeaky clean.
> Fairlinked is soliciting donations for a legal fund to take on Microsoft [...]
OK, and then there is this. It always gets back to this.
Outlived its usefulness (Score:5, Insightful)
I've pretty much stopped visiting linkedin. First it was the pet videos, then the political nonsense, then an onslaught of spam trying to sell shit to me 24/7. Now it's just a place to park my resume.
Good riddance.
Re: (Score:2)
> Now it's just a place to park my resume
Have you ever received a legitimate job offer, or even a nibble, from an employer that you might actually consider working for, that came through LinkedIn?
Me neither.
You'd be much better served by posting your resume or having it on file with a few employers you would consider and who are legitimate.
Re: (Score:3)
My current job was found via LinkedIn. For the most part I'm not a fan, especially given my hatred for anything Microsoft. I had quit my previous job and wasn't even sure I was going to continue working but thanks to a new law where I live that requires job listings to list the salary range, I saw a job closer to home with a nice salary bump that was what I really wanted to do if I continued working so I applied. And it turned out I was a perfect fit for the job. So yeah you can find legit jobs via Link
Re: (Score:2)
It's become very "I built this with AI" and "how your business is going to improve with AI" and all sorts of terrible content, and GAMES! WTF.
Man some LinkedIn users are fragile (Score:3)
"the extensions LinkedIn will look for include one that flags companies as too "woke," one that can add an "anti-Zionist" tag to LinkedIn profiles..."
Imagine being so petty and fragile that you need to install a whole plugin to tell you what is woke or anti-zionist.
Re: (Score:2)
Or people want the fastest possible way to not give a website or company their money if they don't support the same morals as themselves. That might be it too.
Re: (Score:2)
Those people are living in a fantasy world. Especially if they need a we browser to make that decision for them.
Re: (Score:2)
No mention of islam though, which was the next thing filtered.
"and two others that can block content forbidden under Islamic teachings. "
You can tell which one people have learned to fear. Islam is the future, because even anonymously, people have learned to fear them.
Re: (Score:2)
I don't fear islam. I understand how that plugin would help someone who believes in the bullshit of religion meet the needs of the bullshit. So it wasn't worth mentioning.
How is this possible? (Score:1)
How is this even possible, why would a browser allow a website to ask for details about installed software???
Re:How is this possible? (Score:5, Informative)
According to the writeup; there are two methods: it is possible for an extension to mark some parts of itself as 'web accessible'; and linkedin has assembled at least one characteristic file for 6,1000-odd extension IDs and attempts to fetch it to confirm/deny the extension's presence.
The other is based on the fact that the whole point of many extensions is to modify the site in some way; but the site normally has largely unfettered access to inspect itself, so they have theirs set up to walk the entire DOM looking for any references to "chrome-extension://" and snagging the IDs if found.
Not exactly a 'declare installed extensions'; but it looks like, out of some combination of supporting the use cases where an extension and page actively interact by design and either not wanting the possibility or not wanting the complexity of trying to enable 'invisible' edits(presumably some sort of 'shadow' DOM mechanism where as far as the site and everything delivered with it knows only its unedited DOM and resources exist; but the one the user sees is an extension-modified copy of that one, which sounds like it could get messy), inferential attacks are fairly easy and powerful.
Re: (Score:2)
> so they have theirs set up to walk the entire DOM looking for any references to "chrome-extension://" and snagging the IDs if found.
Maybe walk the DOM for their own document. But what moron would build their core browser to allow sites to walk/query content from other, unrelated sites? That just sounds like content theft to me. Just the kind of scraping that LinkedIn claims to be detecting.
How does this get green-lighted? (Score:1)
"I'm going to develop a browser fingerprinting system that's every more spywarey than linkedin is by default."
"Sure, go ahead. Remember, the more people you can identify, the more Microsoft dollars you get to spend!"
Re: (Score:1)
This isn't even the worst thing LinkedIn has gotten caught doing. It's always been an entirely criminal enterprise masquerading as a normal jobs board.
Any free service (Score:1)
You are the thing being sold!
LinkedIn is a lost cause (Score:2)
After the company was caught spamming contacts a decade ago did anyone think they would improve?
Re: (Score:2)
> After the company was caught spamming contacts a decade ago did anyone think they would improve?
Define "improvement". A decade ago LinkedIn was sold to Microsoft for $26.2billion. It seems Microsoft values LinkedIn plenty, just the way things are.
They have an interesting defense (Score:2)
They later came out with a statement saying they only check for plugins known to scrape others' profile data in large quantities. I do not personally believe that's entirely and solely the reason. You would not believe the amount of "I changed my linked in status to working at New Company Inc!" immediately resulting a scam text message with "Hey, set up your banking info for payroll at New Company Inc!" and then the person gets a fraudulent bank wire. It's all because of Linked In scrapers. So they have a p
Spying? For what you already give them? (Score:2)
I'm sorry, it just sounds silly to me to accuse them of spying when you already give them all your information. Linkedin already knows who I am, where I live and what I do for a living, because I told it. It has my email and phone number. What are they going to do, fingerprint my browser to be even more sure of who I am when they already have my f-ing resume?
Re: (Score:2)
It knows the things you voluntarily chose to disclose. And that's fine. The problem lies in when they decide to take information you did NOT voluntarily choose to disclose.
There ARE corporate entities that force chrome (Score:2)
PG&E for one
Try logging in with Firefox and see
Epstein Class (Score:2)
Count the number of emails between a company founder and Epstein before you install their code in your Browser or put your data on their platform.
I mean, spies were spying on you?
Not to mock the victims, but c'mon, Nancy, don't be naÃve.
[1]https://jmail.world/ [jmail.world]
[1] https://jmail.world/
Say after me (Score:4, Insightful)
DON'T USE CHROME.
In other news the Lutheran church in Rome denied that it had received a membership application from Pope Leo, whilst ursine faecal material continues to found in forested areas.
Re: (Score:2)
Firefox also uses the Chrome extension API. Not that it matters, as Linkedin just checks the content injected into the site:
> Here’s why: some extensions have static resources (images, JavaScript) available to inject into our web pages. We can detect the presence of these extensions by checking if that static resource URL exists,
The only way to defend against this is to disable scripts entirely.
Re: (Score:3, Insightful)
Or avoiding LinkedIn altogether or using a separate profile devoted to LinkedIn if you're required to use it
Re: (Score:3)
> Firefox also uses the Chrome extension API. Not that it matters, as Linkedin just checks the content injected into the site:
>> Here’s why: some extensions have static resources (images, JavaScript) available to inject into our web pages. We can detect the presence of these extensions by checking if that static resource URL exists,
> The only way to defend against this is to disable scripts entirely.
Yup, I have to approve all scripts, every time. Yup, it can be a pain in the backside.
If you want a little "fun", look up who is running the scripts. Google doesn't hide themselves very much, but some others? Regardless, I have a fundamental issue with having mostly unknown people/groups installing stuff on my computer.
Re: (Score:2)
So... [1]noscript [mozilla.org] then.
[1] https://addons.mozilla.org/en-US/firefox/addon/noscript/
Re:Say after me (Score:5, Interesting)
Exactly Chrome and realistically Chromium is essentially malware. Geeks especially should consider it a civic duty to use basically anything else. Which pretty much leaves Firefox and Safari.
Browser diversity is critical to keeping the web actually open. Even if Chromium is open source, the reality is Google drives the project entirely. It puts them in a powerful position to gatekeep, and that is bad for all the same reasons it was bad when IE-5/6 ruled the web, nearly uncontested.
We don't want a web where the only standard is whatever chromium does.
Re: (Score:2)
What's your position on Brave? Chromium-based but - allegedly - with the spy stuff removed.
Re:Say after me (Score:4, Informative)
For the individual that is certainly better than Chrome, but from a perspective of does it give Alphabet, any less influence not really much better.
I come back to if we allow Chromium to become essentially the only online HTML Document rendering engine in use, Google makes all the rules. It is really to large a project for any entity not a large corporate to fork.
Just look at the whole plugin architecture(Manifest V2) stuff, Google got their way because the plugin architecture touches so much and nobody maintaining Chromium based alternative browser could realistically keep up with the mainline if they forked or tried to keep a patch set running.
Google basically unilaterally decided what web-plugins are allowed to do; and nobody was able to stop them.
Re: (Score:1, Insightful)
Brave is successfully maintaining manifest V2 support, so not really.
Re: (Score:2)
Way to put a bandage on a wound rather than treating the cause of the bleeding. Not using Chrome doesn't help you here. You are being fingerprinted regardless.
Re: (Score:2)
> You are being fingerprinted regardless.
Maybe. Why do you think other browsers report installed extensions. Either to the extent Chrome does? Or at all?
Re: (Score:2)
> why do you think they don't?
Perhaps someone wrote a browser extension that can log activity between itself and remote systems.