Microsoft is running one of the largest corporate espionage operations in modern history. Every time any of LinkedIn’s one billion users visits linkedin.com, hidden code searches their computer for installed software, collects the results, and transmits them to LinkedIn’s servers and to third-party companies including an American-Israeli cybersecurity firm. The user is never asked. Never told. LinkedIn’s privacy policy does not mention it. Because LinkedIn knows each user’s real name, employer, and job title, it is not searching anonymous visitors. It is searching identified people at identified companies. Millions of companies. Every day. All over the world.

Microsoft is running one of the largest corporate espionage operations in modern history.

Every time any of LinkedIn’s one billion users visits linkedin.com, hidden code searches their computer for installed software, collects the results, and transmits them to LinkedIn’s servers and to third-party companies including an American-Israeli cybersecurity firm.

The user is never asked. Never told. LinkedIn’s privacy policy does not mention it.

Because LinkedIn knows each user’s real name, employer, and job title, it is not searching anonymous visitors. It is searching identified people at identified companies. Millions of companies. Every day. All over the world.

  • inlandempire@jlai.luEnglish
    421·
    2 days ago

    it does NOT scan applications on your computer

    technically browser extensions are considered applications under EU’s GDPR

    It DOES scan which browser extensions you have running (if they affect page loading).

    as per their report:

    Why two detection methods

    Method Technique What it catches
    AED fetch() against known resource paths Extensions that are merely installed, even if they inject nothing into the current page
    Spectroscopy Full DOM tree walk Extensions that actively modify the page, even if they are not in LinkedIn’s hardcoded list
    • Alberat@lemmy.worldEnglish
      183·
      2 days ago

      it’s misleading to say its searching your computer tho…? this invokes the thought of LinkedIn getting to rifle through your files like it has access to ~/Documents/ or smth.

      but yeah tracking you over the internet is similarly bad

      • stroz@infosec.pubEnglish
        102·
        2 days ago

        it’s misleading to say its searching your computer tho…?

        Wait, your browser extensions aren’t on your computer?

        • Armok_the_bunny@lemmy.worldEnglish
          12·
          2 days ago

          It’s misleading because saying “search the computer” implies a breadth of scan that isn’t present. That’s like saying a website “searches the computer” to grab cookies generated by that site; technically true but worded to be misleading.

          To be clear this is bad, but it’s important to be clear when explaining why it is bad to avoid creating resentment when the person you are explaining it to looks deeper into it themself and finds that it’s not as bad as your explanation was implying.

        • partofthevoice@lemmy.zipEnglish
          1·
          2 days ago

          I believe the point they’re trying to make is that they have access to APIs which describe particular software on your PC. You can argue based on the fact that, yes, the software is persisted on your filesystem. However, the API they access brokers [meta]data about the software. It’s not a filesystem API. If I add arbitrary files to an extension directory under my browsers path for extension persistence, they probably cannot see those arbitrary files unless the extension is built to allow it.

          There is a big difference between having direct and broad read access to the filesystem, versus the much smaller volume of data they can infer about your filesystem using APIs for browser extension data.

          • FooBarrington@lemmy.worldEnglish
            1·
            1 day ago

            There isn’t an API for browser extension data. They are searching for the existence of thousands of specific addresses to perform the search.

    • GreenShimada@lemmy.worldEnglish
      1·
      1 day ago

      While browser extensions are considered apps under the GDPR, the headline is intentionally misleading. LinkedIn isn’t “Illegally Searching your Computer.” It’s asking the browser for all the info it’s maximally able to give up. We do need to define browser extensions in a way that doesn’t use fear as clickbait to make it sound like LinkedIn has greater access to a device than it really has.

      And thanks for the correction on AED, I had seen another analysis a couple weeks back and I didn’t recall correctly what was being collected.