LinkedIn is searching your browser extensions
browsergate.eu1881 points by digitalWestie 3 days ago
1881 points by digitalWestie 3 days ago
The headline seems pretty misleading. Here’s what seems to actually be going on:
> Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions. The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them to LinkedIn’s servers.
This does seem invasive. It also seems like what I’d expect to find in modern browser fingerprinting code. I’m not deeply familiar with what APIs are available for detecting extensions, but the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”).
I’m certainly not endorsing it, do think it’s pretty problematic, and I’m glad it’s getting some visibility. But I do take some issue with the alarmist framing of what’s going on.
I’ve come to mostly expect this behavior from most websites that run advertising code and this is why I run ad blockers.
How is probing your browser for installed extensions not "scanning your computer"?
Calling the title misleading because they didn't breach the browser sandbox is wrong when this is clearly a scenario most people didn't think was possible. Chrome added extensionId randomization with the change to V3, so it's clearly not an intended scenario.
> vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”)
They chose to put that particular extension in their target list, how is it not sinister? If the list had only extensions to affect LinkedIn page directly (a good chunk seem to be LinkedIn productivity tools) they would have some plausible deniability, but that's not the case. You're just "nothing ever happens"ing this.
> How is probing your browser for installed extensions not "scanning your computer"?
I think most people would interpret “scanning your computer” as breaking out of the confines the browser and gathering information from the computer itself. If this was happening, the magnitude of the scandal would be hard to overstate.
But this is not happening. What actually is happening is still a problem. But the hyperbole undermines what they’re trying to communicate and this is why I objected to the title.
> They chose to put that particular extension in their target list, how is it not sinister?
Alongside thousands of other extensions. If they were scanning for a dozen things and this was one of them, I’d tend to agree with you. But this sounds more like they enumerated known extension IDs for a large number of extensions because getting all installed extensions isn’t possible.
If we step back for a moment and ask the question: “I’ve been tasked with building a unique fingerprint capability to combat (bots/scrapers/known bad actors, etc), how would I leverage installed extensions as part of that fingerprint?”
What the article describes sounds like what many devs would land on given the browser APIs available.
To reiterate, at no point am I saying this is good or acceptable. I think there’s a massive privacy problem in the tech industry that needs to be addressed.
But the authors have chosen to frame this in language that is hyperbolic and alarmist, and in doing so I thing they’re making people focus on the wrong things and actually obscuring the severity of the problem, which is certainly not limited to LinkedIn.
> What the article describes sounds like what many devs would land on given the browser APIs available.
> To reiterate, at no point am I saying this is good or acceptable. I think there’s a massive privacy problem in the tech industry that needs to be addressed.
These two sentences highlight the underlying problem: Developers without an ethical backbone, or who are powerless to push back on unethical projects. What the article describes should not be "what many devs would land on" naturally. What many devs should land on is "scanning the user's browser in order to try to fingerprint him without consent is wrong and we cannot do it."
To put it more extreme: If a developer's boss said "We need to build software for a drone that will autonomously fly around and kill infants," The developer's natural reaction should not be: "OK, interesting problem. First we'll need a source of map data, and vision algorithm that identifies infants...." Yet, our industry is full of this "OK, interesting technology!" attitude.
Unfortunately, for every developer who is willing to draw the line on ethical grounds, there's another developer waiting in the recruiting pipeline more than willing to throw away "doing the right thing" if it lands him a six figure salary.
I completely agree.
Fighting against these kinds of directives was a large factor in my own major burnout and ultimately quitting big tech. I was successful for awhile, but it takes a serious toll if you’re an IC constantly fighting against directors and VPs just concerned about solving some perceived business problem regardless of the technical barriers.
Part of the problem is that these projects often address a legitimate issue that has no “good” solution, and that makes pushing back/saying no very difficult if you don’t have enough standing within the company or aren’t willing to put your career on the line.
I’d be willing to bet good money that this LinkedIn thing was framed as an anti-bot/anti-abuse initiative. And those are real issues.
But too many people fail to consider the broader implications of the requested technical implementation.
Oh yeah. Must be an anti-fraud/child abuse/money laudering/terrorism/fake news thing. All real problems with no known good solution (to my knowledge, please prove me wrong).
Edit: typos
> These two sentences highlight the underlying problem: Developers without an ethical backbone, or who are powerless to push back on unethical projects.
One reason your boss is eager to replace everyone with language models, they won’t have any “ethical backbone” :’)
Many developers overestimate their agency without extremely high labor demand. We got a say because replacing us was painful, not because of our ethics and wisdom. Without that leverage, developers are cogs just like every other part of the machine.
No-one replaced developers when we got IDEs and CIs and such. We just produced more software faster.
Same with LLMs. This is a race. Competent people are in demand.
You can't actually push back as an IC. Tech companies aren't structured that way. There's no employment protection of any kind, at least in the US. So the most you can do is protest and resign, or protest and be fired. Either way, it'll cost you your job. I've paid that price and it's steep. There's no viable "grassroots" solution to the problem, it needs to come from regulation. Managers need to serve time in prison, and companies need to be served meaningfully damaging fines. That's the only way anything will get done.
> There's no viable "grassroots" solution to the problem
Does something like running the duckduckgo extension not help?
I'm hoping the Ladybird project's new Web browser (alpha release expected in August) will solve some issues resulting from big tech controlling most browers.
Yes, that might be good. I use Firefox with the dog plugin, and Proton login aliases, and hope for the best.
> There's no viable "grassroots" solution to the problem, it needs to come from regulation. Managers need to serve time in prison,
No, yes
Yes, giving these people short (or long, mēh) prison sentences is the only thing that will stop this.
No, the obvious grassroots response is to not use LinkedIn or Chrome. (You mean developers not consumers, I think. The developers in the trenches should obey if they need their jobs, they are not to blame. It is the evil swine getting the big money and writing the big cheque's...)
Yes, what I meant was there's no way ICs will change any of this. Using this or that extension, or choosing not to use some service won't really change anything either. The popular appetite just isn't there. Personally I use a variety of adblockers and haven't had a linkedin or anything for many years, but I fully accept that's an extremist position and most consumers will not behave that way. The only way these companies' behavior will improve is when they are meaningfully, painfully punished for it. There's very little we as consumers or ICs can do until then. Unless of course their risk management fails and they alienate a sufficiently large number of users that it becomes "uncool" to use the product. But all we need to do is look to twitter to see just how bad it'll get before then...
> The popular appetite just isn't there.
Cory Doctorow, if he is to believed, states 50% of web users use ad blockers. So maybe?
I integrate these kinds of systems in order to prevent criminals from being able to use our ecommerce platform to utilize stolen credit cards.
That involves integrating with tracking providers to best recognize whether a purchase is being made by a bot or not, whether it matches "Normal" signals for that kind of order, and importantly, whether the credit card is being used by the normal tracking identity that uses it.
Even the GDPR gives us enormous leeway to do literally this, but it requires participating in tracking networks that have what amounts to a total knowledge of purchases and browsing you do on the internet. That's the only way they work at all. And they work very well.
Is it Ethical?
It is a huge portion of the reason why ecommerce is possible, and significantly reduces credit card fraud, and in our specific case, drastically limits the ability of a criminal to profit off of stolen credit cards.
Are people better off from my work? If you do not visit our platforms, you are not tracked by us specifically, but the providers we work with are tracking you all over the web, and definitely not just on ecommerce.
Should this be allowed?
No, credit card companies should be made to develop robust solutions to protect themselves from cards being able to be stolen. It's not like secure authentication isn't a relatively solved problem. They've obviously managed to foist the problem on you and make you come up with shitty solutions. But that's bad.
What I'm wondering is if this requires sending the full list of extensions straight to a server (as opposed to a more privacy-protecting approach like generating some type of hash clientside)?
Based on their privacy policy, it looks like Sift (major anti-fraud vendor) collects only "number of plugins" and "plugins hash". No one can accuse them of collecting the plugins for some dual-use purpose beyond fingerprinting, but LinkedIn has opened themselves up to this based on the specific implementation details described.
The SOP of this entire industry is "Include this javascript link in your tag manager of choice", and it will run whatever javascript it can to collect whatever they want to collect. You then integrate in the back end to investigate the signals they sell you. America has no GDPR or similar law, so your "privacy" never enters the picture. They do not even think about it.
This includes things like the motion of your mouse pointer, typing events including dwell times, fingerprints. If our providers are scanning the list of extensions you have installed, they aren't sharing that with us. That seems overkill IMO for what they are selling, but their business is spyware so...
On the backend, we generally get the results and some signals. We do not get the massive pack of data they have collected on you. That is the tracking company's prime asset. They sell you conclusions using that data, though most sell you vague signals and you get to make your own conclusions.
Frankly, most of these providers work extremely well.
Sometimes, one of our tracking vendors gets default blackholed by Firefox's anti-tracking policy. I don't know how they manage to "Fix" that but sometimes they do.
Again, to make that clear, I don't care what you think Firefox's incentives are, they objectively are doing things that reduce how tracked you are, and making it harder for these companies to operate and sell their services. Use Firefox.
In terms of "Is there a way to do this while preserving privacy?", it requires very strict regulation about who is allowed to collect what. Lots of data should be collected and forwarded to the payment network, who would have sole legal right to collect and use such data, and would be strictly regulated in how they can use such data, and the way payment networks handle fraud might change. That's the only way to maintain strong credit card fraud prevention in ecommerce, privacy, status quo of use for customers, and generally easy to use ecommerce. It would have the added benefit of essentially banning Google's tracking. It would ban "Fraud prevention as a service" though, except as sold by payment networks.
Is this good? I don't know.
Mandating that tracking for anti-fraud be vertically integrated with the payment network seems unnecessary. Surely the law could instead mandate the acceptable uses of such data? The issue at present appears to be the lack of regulation, not scofflaws.
I'm not convinced tracking is the only or even a very good way to go about this though. Mandating chip use would largely solve the issue as it currently stands (at least AFAIK). The card provider doing 2FA on their end prior to payment approval seems like it works just as well in practice.
At this point my expectation is that I have to do 2FA when first adding a new card to a platform. I'm not clear why they should need to track me at that point.
> Even the GDPR gives us enormous leeway to do literally this, but it requires participating in tracking networks that have what amounts to a total knowledge of purchases and browsing you do on the internet. That's the only way they work at all.
That data sounds like it would be very valuable.
But I think if I sell widgets and a prospective customer browsers my site, telling my competitors (via a data broker) that customer is in the market for widgets is not a smart move.
How do such tracking networks get the cooperation of retailers, when it’s against the retailers interests to have their customers tracked?
I suspect a lot of retailers simply aren’t aware that that data is being collected and sold off to their competitors (or to ad networks so their competitors can poach their audience)
They get demographic data on their customers and can use that for marketing and setting prices.
> These two sentences highlight the underlying problem: Developers without an ethical backbone, or who are powerless to push back on unethical projects. What the article describes should not be "what many devs would land on" naturally. What many devs should land on is "scanning the user's browser in order to try to fingerprint him without consent is wrong and we cannot do it."
I think using LinkedIn is pretty much agreeing to participate in “fingerprinting” (essentially identifying yourself) to that system. There might be a blurry line somewhere around “I was just visiting a page hosted on LinkedIn.com and was not myself browsing anyone else’s personal information”, but otherwise LinkedIn exists as a social network/credit bureau-type system. I’m not sure how we navigate this need to have our privacy while simultaneously needing to establish our priors to others, which requires sharing information about ourselves. The ethics here is not black and white.
The difference is between the data you give out voluntarily and what is taken from you without consent
If you voluntarily visit my website and my web server sends a response to your IP address, have I “taken” your IP address, or did you give it to me “voluntarily”? What if I log your IP address?
One works for money. And money is important. Ethics isn’t going pay mortgage, send kids to university and all that other stuff. I’m not going to do things that are obviously illegal. But if I get a requirement that needs to be met and then the company legal team is responsible for the outcome.
In short, you are not going to solve this problem blaming developer ethics. You need regulation. To get the right regulation we need to get rid of PACs and lobbying.
You are transfering moral agency from yourself, to the government.
Will you do the same for your kids ? WOuld you let the government decide for you whats right, and what's wrong ?
Regulation does not necessarily need to be about deciding what's right and what's wrong. It's about making life better for people. That's supposed to be why we have government. If they are not improving people's lives, why do we even have them? Too many people see the government doing nothing to improve their lives and think there's totally nothing wrong with that.
I fail to see how some of the octogenarians in DC, who are making a kiling for decades in trading on market moves that they initiate/regulate themselves, are making life better for your family, or mine.
Because at least half the country thinks that government can't/shouldn't help them, and reliably votes for people who can't/won't make their lives better. We get the government we vote for, and too many people think the government's job is to grief people.
> You are transfering moral agency from yourself, to the government
That is the deal in a state based society. There are alternatives, but are you ready for Council Communism and it's ilk?
> WOuld you let the government decide for you whats right, and what's wrong ?
Yes, in a state based society
In a state based society fight for democracy and civil rights. Freedom must be defended
> I think most people would interpret “scanning your computer” as breaking out of the confines the browser and gathering information from the computer itself.
Yes, but I also think that most people would interpret "Getting a full list of all the Chrome extensions you have installed" as a meaningful escape/violation of the browser's privacy sandbox. The fact that there's no getAllExtensions API is deliberate. The fact that you can work around this with scanning for extension IDs is not something most people know about, and the Chrome developers patched it when it became common. So I don't think describing it as something everybody would expect is totally fine and normal for browsers to allow is correct.
> I also think that most people would interpret "Getting a full list of all the Chrome extensions you have installed" as a meaningful escape/violation of the browser's privacy sandbox
I think that’s a far more reasonable framing of the issue.
> I don't think describing it as something everybody would expect is totally fine and normal for browsers to allow is correct.
I agree that most people would not expect their extensions to be visible. I agree that browsers shouldn’t allow this. I, and most privacy/security focused people I know have been sounding the alarm about Chrome itself as unsafe if you care about privacy for awhile now.
This is still a drastically different thing than what the title implies.
> Yes, but I also think that most people would interpret "Getting a full list of all the Chrome extensions you have installed" as a meaningful escape/violation of the browser's privacy sandbox.
I don't think so, because most people understand that extensions necessarily work inside of the sandbox. Accessing your filesystem is a meaningful escape. Accessing extensions means they have identification mechanisms unfortunately exposed inside the sandbox. No escape needed.
It's extremely unfortunate that the sandbox exposes this in some way.
Microsoft should be sued, but browsers should also figure out how to mitigate revealing installed extensions.
Y'all are letting "most people" carry an awful lot of water for this scummy behavior here.
In my experience, most people - even most tech people - are unaware of just how much information a bit of script on a website can snag without triggering so much as a mild warning in the browser UI. And tend toward shock and horror on those occasions where they encounter evidence of reality.
The widespread "Facebook is listening to me" belief is my favorite proxy for this ... Because, it sorta is - just... Not in the way folks think. Don't need ears if you see everything!
> The widespread "Facebook is listening to me" belief is my favorite proxy for this ... Because, it sorta is - just... Not in the way folks think. Don't need ears if you see everything!
Getting folks to install “like” and “share” widgets all over their websites was a genius move.
> I think most people would interpret “scanning your computer” as breaking out of the confines the browser and gathering information from the computer itself.
That is exactly how I interpreted it, and that is why I clicked the link. When I skimmed the article and realized that wasn't the case, I immediately thought "Ugh, clickbait" and came to the HN comments section.
> To reiterate, at no point am I saying this is good or acceptable. I think there’s a massive privacy problem in the tech industry that needs to be addressed.
100% Agree.
So, in summary: what they are doing is awful. Yes, they are collecting a ton of data about you. But, when you post with a headline that makes me think they are scouring my hard drive for data about me... and I realize that's not the case... your credibility suffers.
Also, I think the article would be better served by pointing out that LinkedIn is BY FAR not the only company doing this...
But LinkedIn is the one social network many people literally cannot escape to put food on the table.
I don't care about how much spying is going on in ESPN. I can ditch it at the shadow of a suspicion. Not so with LinkedIn.
This is very alarming, and pretending it's not because everyone else does it sounds disingenuous to me.
That sounds problematic and is only supported by people mindlessly agreeing to it. I know someone who got jobs at google and apple with no linkedin, and he wasn't particularly young. What do you do in the face of it? I say quit entirely. It was an easy decision because I got nothing out of it during the entire time I was on it.
I have heard people say that LinkedIn was vital to their career.
For myself, I agree with you: one should quit (and I will)
After getting laid off at age 52 (2nd time, 1st time day after my 50th birthday, took an inter-company transfer), and searching for a year, applying to maybe 5-10 companies a week, I got my current job (2 years+) through a random LinkedIn button.
You can also just browse LinkedIn with a browser that doesn’t have extensions installed, if privacy is that important to you.
Like everyone else on this thread, I’m not condoning it or saying it’s a good thing, but this post is an exaggeration.
yeah yeah or we can do it from a contained virtual environment over VPN etc
it is a different angle of looking at this issue, and kind of shifts responsibility from their shitty practices over to us users
slippery slope approach, as we can see everywhere, this leads to more and more of such
I don't know I just started mocking everything and anything in there, its wall of shite and AI slop predominantly anyways, so why bother
> Alongside thousands of other extensions. If they were scanning for a dozen things and this was one of them, I’d tend to agree with you. But this sounds more like they enumerated known extension IDs for a large number of extensions because getting all installed extensions isn’t possible.
To take a step back further: what you're saying here is that gathering more data makes it less sinister. The gathering not being targeted is not an excuse for gathering the data in the first place.
It's likely that the 'naive developer tasked with fingerprinting' scenario is close to the reality of how this happened. But that doesn't change the fact that sensitive data -- associated with real identities -- is now in the hands of MS and a slew of other companies, likely illegally.
> But the authors have chosen to frame this in language that is hyperbolic and alarmist, and in doing so I thing they’re making people focus on the wrong things and actually obscuring the severity of the problem, which is certainly not limited to LinkedIn.
The article is not hyperbolizing by exploring the ramifications of this; and it's true that this sort of tracking is going on everywhere, but neither is it alarmist to draw attention to a particularly egregious case. What wrong things does it focus on?
> The gathering not being targeted is not an excuse for gathering the data in the first place.
I’m not saying it is. My point is that they appear to be trying to accomplish something like getInstalledExcentions(), which is meaningfully different from a small and targeted list like isInstalled([“Indeed.com”, “DailyBibleVerse”, “ADHD Helper”]).
One could be reasonably interpreted as targeting specific kinds of users. What they’re actually doing to your point looks more like a naive implementation of a fingerprinting strategy that uses installed extensions as one set of indicators.
Both are problematic. I’m not arguing in favor of invasive fingerprinting. But what one might infer about the intent of one vs. the other is quite different, and I think that matters.
Here are two paragraphs that illustrate my point:
> “Microsoft reduces malicious traffic to their websites by employing an anti-bot/anti-abuse system that builds a browser fingerprint consisting of <n> categories of identifiers, including Browser/OS version, installed fonts, screen resolution, installed extensions, etc. and using that fingerprint to ban known offenders. While this approach is effective, it raises major privacy concerns due to the amount of information collected during the fingerprinting process and the risk that this data could be misused to profile users”.
vs.
> “Microsoft secretly scans every user’s computer software to determine if they’re a Christian or Muslim, have learning disabilities, are looking for jobs, are working for a competitor, etc.”
The second paragraph is what the article is effectively communicating, when in reality the first paragraph is almost certainly closer to the truth.
The implications inherent to the first paragraph are still critical and a discussion should be had about them. Collecting that much data is still a major privacy issue and makes it possible for bad things to happen.
But I would maintain that it is hyperbole and alarmism to present the information in the form of the second paragraph. And by calling this alarmism I’m not saying there isn’t a valid alarm to raise. But it’s important not to pull the fire alarm when there’s a tornado inbound.
> But what one might infer about the intent of one vs. the other is quite different, and I think that matters.
That's where we disagree: intent doesn't matter here, because the intent of the person gathering the data is not the same as those who have access to the data. I don't care if the team tasked with implementing this believed they were saving the world, because once this data is in the hands of a big corporation, in perpetuity, and the thousands of people that entails, and it diffuses across advertisers and governments, be it through leaks, backroom deals, or perfectly above-board operations, it makes no difference how it got there.
The two paragraphs given:
> “Microsoft reduces malicious traffic to their websites by employing an anti-bot/anti-abuse system that builds a browser fingerprint consisting of <n> categories of identifiers, including Browser/OS version, installed fonts, screen resolution, installed extensions, etc. and using that fingerprint to ban known offenders. While this approach is effective, it raises major privacy concerns due to the amount of information collected during the fingerprinting process and the risk that this data could be misused to profile users”.
vs.
> “Microsoft secretly scans every user’s computer software to determine if they’re a Christian or Muslim, have learning disabilities, are looking for jobs, are working for a competitor, etc.”
The latter is the tangible effect of the former. The two aren't mutually exclusive, and considering the former has long gone unaddressed in its most charitable form, it only makes sense to use a particularly egregious example of it taken to its natural conclusion to address in courts and the public consciousness.
Calling out the fingerprinting users' extensions is not hyperbolic. Defending that action is.
Calling out the fingerprinting of extensions is appropriate and can be achieved without hyperbole.
As I’ve stated clearly throughout this thread, the fingerprinting they’re doing is a problem.
Calling it “searching your computer” is also a problem.
> Defending that action is
Nowhere have I defended what LinkedIn is doing.
It's `searching your computer`, period. The extensions are part of my computer. They don't exist in my refrigerator.
> Nowhere have I defended what LinkedIn is doing.
Yep. You feel the same taste of your own. You are accusing the site being hyperbole and alarmism. I'm accusing you being defendant of linkedin.
It is equally “searching your home network” as it is “searching your computer”. This is not searching your computer. It is searching your browser. Being contained to the browser is completely different than having access to the OS behind the browser.
The issue here is that even if the original goal is the first thing, once you have the data you can do that second thing. From where we stand, nothing changes - same information is collected. But now, it's also used for affinity targeting or worse.
> I think most people would interpret “scanning your computer” as breaking out of the confines the browser and gathering information from the computer itself.
Which they would, if they could.
They are scanning users' computers to the maximum extent possible.
> I think most people would interpret “scanning your computer” as breaking out of the confines the browser and gathering information from the computer itself. If this was happening, the magnitude of the scandal would be hard to overstate.
But at the end of the day, the browser is likely where your most sensitive data is.
> Alongside thousands of other extensions. If they were scanning for a dozen things and this was one of them, I’d tend to agree with you. But this sounds more like they enumerated known extension IDs for a large number of extensions because getting all installed extensions isn’t possible.
If that's all it takes to fool you then its pretty trivial way to hide your true intentions.
> making people focus on the wrong things and actually obscuring the severity of the problem, which is certainly not limited to LinkedIn.
No, LinkedIN has much more sensitive data already. Combined with which the voracious fingerprinting, this stands out as a particularly dystopian instance of surveillance capitalism
When "the browser is the OS", scanning that is a pretty big chunk of "your computer".
but the language of "your computer" implies files on your computer, as it would be what people commonly call it. Merely just the extension is not enough.
If it has the ability to scan your bookmarks, or visited site history, that would lend more credence to using the term "computer".
The title ought to have said "linkedIn illegally scans your browser", and that would make clear what is being done without being sensationalist.
Extensions are files installed on your computer, though?
So are fonts. But running Window.queryLocalFonts() is not equivalent to “illegally searching your computer”.
I’m not defending the act of scanning for these extensions, and I’m of the opinion that such an API shouldn’t even exist, but just pointing out that there are perfectly legitimate APIs that reveal information that could be framed as “files installed on your computer” that are clearly not “searching your computer” like the title implies.
it doesn't have to be files. it could be in memory on the browser. Extensions don't imply files for anyone but the most technical of conversations. Certainly not to the laymen.
Having sensationalist titles should be called out at every opportunity.
> it doesn't have to be files. it could be in memory on the browser.
How'd that work? If it's in memory, the extensions would vanish everytime I shutdown Chrome? I'll have to reinstall all my extensions again everytime I restart Chrome?
Have you seen any browser that keeps extension in memory? Where they ask the user to reinstall their extensions everytime they start the browser?
I'm just using it as a possible example. There's also tampermonkey which installs not via files but via urls from another site.
The point is to call out the sensationalism in the title.
Reminds me of https://xkcd.com/1200/
But it's not getting access to real user data, just a partial list of things that are installed.
> but the language of "your computer" implies files on your computer, as it would be what people commonly call it. Merely just the extension is not enough.
But the language of "your computer" also implies software on your computer including but not limited to Chrome extensions.
It implies more than just the browser, which is likely why it was used for the post title. If it is exclusively limited to the browser, then "scans your browser" is more correct, and doesn't mislead the reader into thinking something is happening which isn't commonplace on the internet.
Are you defending LinkedIn’s behavior right now or are you just happy to be more technically correct (the best kind of correct!) than those around you? Trying to understand the angle
The browser fingerprinting described is ubiquitous on the internet, used by players large and small. There are even libraries to do this.
Like OP, I don't consider behavior confined to the browser to be my computer. "Scans your browser" is both technically correct and less misleading. "Scans your computer" was chosen instead, to get more clicks.
Something may be bad, but accurately describing why it is bad significantly elevates the discourse.
Eg, someone could use the phrase "Won't someone think of the children?" to describe a legitimately bad thing like bank fraud, but the solutions that flow from the problem that "children are in danger" are significantly different from the solutions that flow from "phishing attacks are rampant".
The two issues in this case aren't quite as different as child-endangerment and bank fraud. But if the problem was as the original title describes, the solution is quite different (better sandboxing) than what the actual solution is. Which I don't know, but better sandboxing ain't it.
So technically correct. Got it
attacking people for having more nuance and accuracy than you have is how polarization and tribal epistemology happens
'ignore the facts! ENEMY!!!' generally doesn't end well for anybody
And I spend a lot of my time at home on my computer. The article should have said LinkedIn is searching my house.
This is just the next iteration of the issues with Linux file permissions, where the original threat model was “the computer is used by many users who need protection from each other”, and which no longer makes much sense in a world of “the computer is used by one or more users who need protection from each other and also from the huge amounts of potentially malicious remote code they constantly execute”.
It looks like it's also gathering info on your OS and graphics card which seems very much "your computer"
Scanning your computer is an entirely different thing than scanning browser extensions. By maximizing the expectation via "Illegally searching your computer", the truth suddenly appears harmless.
Where do browser extensions exist? I've got a dreadful feeling they might be on my computer.
Similarly, CSS font fallbacks are when websites break into your computer and steal your data, just because their font didn’t load!
>Where do browser extensions exist? I've got a dreadful feeling they might be on my computer.
all of the browser extensions I'm aware of are on planet earth, so i guess you'd have it linkedin is searching the planet for your browser extensions?
>Calling the title misleading because they didn't breach the browser sandbox is wrong
By this logic we could also say that LinkedIn scans your home network.
Websites could scan your local network covertly up until a few years ago; now it requires explicit permission (like notifications, location, etc)
I personally think its misleading and even when you start reading the page it links to is even more misleading in my opinion.
>Every time any of LinkedIn’s one billion users visits linkedin.com, hidden code searches their computer for installed software, collects the results, and transmits them to LinkedIn’s servers and to third-party companies including an American-Israeli cybersecurity firm.
When I read that, I think they have escaped the browser and checking which applications I have installed on my computer. Not which plugins the browser has in it. Just my 2cents.
>How is probing your browser for installed extensions not "scanning your computer"?
The same way taking a photo of a house from the street is not the same as investigating the contents of your pantry.
Because "scanning your computer" technically could include scanning plugins, but it could also include scanning your files, your network or your operating system.
While "scanning your browser" would be more accurate and would exclude the interpretation that it scans your files.
The reason the latter is not used is that, even though more precise and more communicative, it would get less clicks.
There are rules and laws about fingerprinting too, I thought.
Lol, lmao even. Lawmakers are banning privacy as fast as they can, this kind of personally identifiable stuff is perfectly aligned with their end goals.
Checking for extensions is barely anything when you consider the amount of system data a browser exposes in various APIs, and you can identify someone just by checking what's supported by their hardware, their screen res, what quirks the rendering pipeline has, etc. It's borderline trivial and impossible to avoid if you want a working browser, and if you don't the likes of Anubis will block you from every site cause they'll think you're a VM running scraper bot.
In the same way that scanning and identifying your microwave for food you put inside it is not the same as scanning your house and reading the letters in your postbox.
Your browser is a subset of your computer and lives inside a sandbox. Breaching that sandbox is certainly a much more interesting topic than breaking GDPR by browser fingerprinting.
> I’ve come to mostly expect this behavior from most websites that run advertising code and this is why I run ad blockers.
Expecting and accepting this kind of thing is why everyone feels the need to run an ad-blocker.
An ad-blocker also isn’t full protection. It’s a cat and mouse game. Novel ideas on how to extract information about you, and influence behavior, will never be handled by ad-blockers until it becomes known. And even then, it’s a question of if it’s worth the dev time for the maker of the ad-blocker you happen to be using and if that filter list gets enabled… and how much of the web enabling it breaks.
To be clear, expecting != accepting.
The point was more that the headline frames this as some major revelation about LinkedIn, while the reality is that we’re getting probed and profiled by far more sites than most people realize.
LinkedIn's whole business model is gatekeeping their database.
They're scanning your extensions to make sure you aren't using third party tools to scrape LinkedIn.
It's stupid, but they're trying to stop people from making money on LinkedIn when they feel like they're the only ones that should be able to do that.
Has anyone published useful parts of their database? It'd be kinda nice to use a rolodex that wasn't slimed with the rest of LI's taint.
>... everyone feels the need to run an ad-blocker.
I don't: never have and never will. I don't notice the ads, they don't bother or distract me: I'm online 4-8 hours/day.
diaphimisticophobia: fear of advertisements or commercials
I would bet HN has the highest proportion of people with diaphimisticophobia of any group on the planet.
I dont fear advertisements. I resent them.
Studies show most people who don’t think they’re impacted by advertisements are wrong. Advertisements don’t just drive you to buy something, they can also be used to create brand recognition, positive feeling associations and force the brand to front of mind.
You don’t notice ads when they pop up in front of content? When they lead to nearly full page breaks between paragraphs in an article? When they contain auto-play videos? When the video resizes itself and moves to stay in the viewport as the user scrolls? When so many ads load that the page crashes? When you do a Google search and there is only a single organic result without scrolling?
They introduced ads like a frog into tepid water. The water is now boiling and many still think everything is fine, because at this point it’s all they know.
It’s not a fear, it’s annoyance and a resentment. I’m annoyed that the ads make web pages so much worse. I resent that everything being “free” with ads has made it next to impossible for other business models to take hold and that new companies need burden themselves with investors, because the expectation is that things online should be free. I’m annoyed that a profile of who I am has been built and sold without my consent and without giving me a cut of the profit. I resent the companies that do this and have no respect for them or their leadership. It’s most certainly not fear of advertisements.
The fear is what will happen to that data, or what may already be happening, if it is controlled by some deceitful individuals or groups.
The fear doesn’t come from the ads, it comes from the invasive data collection that increases the profit of the ads. It’s compounded by the extremely frequent hacks and data leaks that have made it very clear that most of these companies cannot keep the data they collect secure. As such, they have no business collecting and storing it in the first place.
A billboard is an advertisement, so is a magazine ad. The world would be a more aesthetically pleasing place without them, sure, but I don’t go out of my way to avoid them like with the online ads. Billboards and magazines aren’t monitoring me and using hyper-targeted ads. A knitting magazine is going to show ads for knitting stuff. A billboard in Orlando is going to point a driver toward Disney. That’s just fine. Those ads meet people where they are, they don’t follow them around.
I don’t like shopping at Target due to what I’ve read about their data collection and how it’s used. I don’t fear big box stores, I just don’t want to be part of their data set. A store should be a store that profits from the margins of the products they sell. Now, the retail arm is just the front of their advertising or credit card arm of the business, where all the real money is. I don’t want to play that game. I’m a simple man, I want things to be what they are and that’s it.
Excuse the rant.
When I look up diaphimisticophobia, it seems specific about the commercial and their content being the fear. I think most people on HN have an issue with the data collection and use, not the content of the ads themselves.
> this is why I run ad blockers.
It's pretty wild that we live in a world where the actual FBI has recommended we use ad blockers to protect ourselves, and if everyone actually listened, much of the Internet (and economy) as we know it would disappear. The FBI is like "you should protect yourself from the way that the third largest company in the world does business", and the average person's response is "nah, that would take at least a couple of minutes of my time, I'll just go ahead and continue to suffer with invasive ads and make sure $GOOG keeps going up".
>the average person's response is "nah, that would take at least a couple of minutes of my time,
As a data point I, a technical person who tweaks his computer a lot, was against adblocking for moral reasons (as a part of perceived social contract, where internet is free because of ads). Only later I changed mi mind on this because I became more privacy aware.
The social contract was "your ads aren't annoying or invasive, and don't waste my time, so I earn you some money"
But ads are all of those things now, so I feel no obligation. I only got an ad blocker around the time ads were becoming excessively irritating.
Figure this: You could plaster a page with the most obtrusive ads imaginable without ever showing a cookie banner, when they collect no private info.
Most people, including folks on here, think cookie banners are a problem, but they are just an annoying attempt to phish your agreement. As long as these privacy loopholes exist, we will keep hearing such stories even from large corporations with much to loose, which means the current privacy regulations do not go far enough.
Beyond just invasive/annoying, ad networks explicitly spread malware and scams/fraud. There's not much incentive for them to clamp down on it, though, as that would cost them money both in lost revenue and in paying for more thorough review.
It'd not even be hard for them to stop it, but they just had to be annoying instead.
When I first started out on the internet, ads were banners. Literally just images and a link that you could click on to go see some product. That was just fine.
However, that wasn't good enough for advertisers. They needed animations, they needed sounds, they needed popups, they needed some way to stop the user from just skimming past and ignoring the ad. They wanted an assurance that the user was staring at their ad for a minimum amount of time.
And, to get all those awful annoying capabilities, they needed the ability to run code in the browser. And that is what has opened the floodgate of malware in advertisement.
Take away the ability for ads to be bundled with some executable and they become fine again. Turn them back into just images, even gifs, and all the sudden I'd be much more amenable to leaving my ad blocker off.
> The social contract was "your ads aren't annoying or invasive
Even back in the 1990s the internet was awash with popups, popunders and animated punch-the-monkey banner ads. And with the speed of dial up, hefty images slows down page loads too.
You must be a true Internet veteran if you remember a time ads weren’t annoying!
I remember a time before ads. I remember the first time I got "spam" email - email not directly addressed to me that ended up in my inbox. I was very confused for some time about why this email was sent to me.
I remember how I felt the first time I saw an ad come across my browser, it seems so long ago - I guess it was more than a quarter century ago now. I knew it was going to be downhill from there, and it has been.
Well by 2000 the guy at Tripod had already developed pop-up ads. I honestly don't remember ads before the pop-ups, but it must have already been maturing.
I strongly believe in paying journalists but I started blocking ads after nytimes.com served me a Windows malware download from a Doubleclick domain. It couldn’t have harmed my Mac but it was clear that the adtech industry had no interest in cleaning shop if it cost them a dime in revenue.
You mean the internet you pay to access and which was around before the ads were even on it? That internet?
I'm not trying to be mean I'm just trying to historically parse your sentence/belief.
Because for me this is a simplified analogy of what happened on the internet:
a) we opened a club house called the internet in the early 1990s, just after the time of BBSs
b) a few years later a new guy called commercial business turned up and started using our club house and fucking around with our stuff
c) commercial business started going around our club house rearranging the furniture and putting graffiti everywhere saying the internet is here and free because of it. We're pretty sure it might have even pissed in the hallway rather than use the toilet and the whole place is smelling awful.
d) the rest of us started breaking out the scrubbing brushes and mops (ad blockers, extensions, VPNs, etc) trying to clean up after it
e) some of its friends turned up and started repeating something about social contracts and how business and ads built this internet place
f) the rest of us keep crying into our hands just trying to meet up, break out the slop buckets to clean up the vomit in the kitchen and some of us now have to wear gloves and condoms just to share things with our friends and stop the whole place collapsing
Ya, back when 'we' were fucking around on BBS's there was the equivalent of 10 people online at the time.
Quantity is a quality in itself. Your BBS was never going to support a million users. Once people figured out the network effect it was over for the masses. They went where the people are, and we've all suffered since.
Honestly, I still prefer webboards, the closest thing to a BBS, for specific topics like specific car brands/models. WAY better signal-to-noise ratio. Alas, for my car model, all the recent stuff has moved to Fbook. FML.
> a) we opened a club house called the internet in the early 1990s, just after the time of BBSs
"we" is doing a lot of work here. No clubhouse got optical switching working and all that fiber in the ground for example. Beyond POC, the Internet was all commercial interests.
"we" paid ISP's ... which in turn, paid for infrastructure. Some of "we" pay cable providers for internet service, which in turn paid for (in my case) fiber-to-the-curb. Advertising basically supported social media, search engines, etc.
No. The internet was not a commercial enterprise, it was first and foremost a military enterprise, just like GPS.
> it was first and foremost a military enterprise, just like GPS
This is sort of like arguing cutlery is a military enterprise. Like yes, that’s where knives came from. But that’s disconnected enough from modern design, governance and other fundamental concerns as to be irrelevant. The internet—and less ambiguously, the World Wide Web—are more commercial than military.
This is moving the goalposts. The commenter above is talking about the enthusiast-populated internet of the late 80s/early 90s, at which point it still wasn't even clear if it was legal to use the internet for commercial purposes. If all you mean to say is that the internet is currently commercialized, yes, that is obviously true, in much the same way that a disgusting ball of decomposing fungus may have once been an apple.
> commenter above is talking about the enthusiast-populated internet of the late 80s/early 90s, at which point it still wasn't even clear if it was legal to use the internet for commercial purposes
Source? Not doubting. But I have a friend who was buying airline tickets through CompuServe in the late 80s/early 90s.