The practice at the centre of the controversy is called resource probing. When a user opens LinkedIn in a Chromium-based browser, the platform's JavaScript checks for the presence of specific browser extensions, currently a list exceeding 6,000, collects that data, and transmits it to LinkedIn's servers.

Fortra Associate Director of security R&D Tyler Reguly investigated the process and was direct in his assessment. "Yes, LinkedIn was probing for a lot of extensions, but there was no scanning of your computer and no malicious code, just a simple JavaScript technique to determine if the extension was there," he told SecurityWeek.

What Reguly found when he tested the extensions?

Reguly sampled roughly 10% of the flagged extension list and found the results illuminating though not in the way BrowserGate intended.

Among those he tested: one extension refused to close when he attempted to shut its tab; others altered his homepage and added unsolicited bookmarks. One played Rick Astley's "Never Gonna Give You Up" every time he opened his browser.

He also notes a statistical ceiling on LinkedIn's actual detection capability: based on his testing, only around 2,000 of the 6,000-plus listed extensions could realistically be detected.

"To say that a lot of these are the worst of the worst extensions out there is not an understatement," he said and his working theory is that LinkedIn may be probing to defend against data scrapers, not to build user profiles.

The security verdict may be relatively benign, but the legal picture is murkier. Ilia Kolochenko, a lawyer specialising in cybersecurity and data protection, told SecurityWeek that the legality of browser fingerprinting varies significantly by jurisdiction.

In the GDPR and other similar privacy policies, it would be considered an offense if such information is gathered about a user without his or her permission. Moreover, there are even instances wherein such behavior could be considered a crime, especially if the data is being used for commercial purposes without informing the user.

The company explains that the information is used to determine if any extension violates their terms, as well as for defensive purposes against any anomalies found within the account.

LinkedIn explains that the data is not used to deduce personal characteristics of the individual. However, what they have not done is inform the user about the collection process.

In Reguly’s case, the lesson learned is quite opposite to that of a sensationalist nature. Instead of seeing this as a scandal involving privacy violations, Reguly believes that the published IDs may prove helpful for IT managers as well as security specialists seeking to prohibit certain software applications.

The bottom line in his analysis is that “I can’t help but see this as a giant nothing burger.” What stands out as an enduring issue is not so much whether LinkedIn was engaging in a surveillance program, which appears unlikely, but rather whether anyone has the right to collect such information stealthily.

© The News International