The investigation argues that probing locally installed applications via custom URL protocol handlers constitutes accessing information stored on a user's terminal equipment, which requires prior informed consent under Article 5(3) of the ePrivacy Directive — the same provision behind cookie consent banners. The .eu domain and framing are deliberately aimed at EU regulators to trigger enforcement action.
The investigation documents that LinkedIn's JavaScript invokes protocol handlers (slack://, zoom://, spotify://, ms-teams://) and observes timing differences or error responses to fingerprint installed applications — requiring no file system access and triggering no permissions prompt. This highlights that browsers themselves are complicit by exposing detectable side channels through standard APIs.
By submitting the browsergate.eu investigation to Hacker News (where it scored over 1,200 points), digitalWestie amplified the finding that while protocol handler probing has been documented by security researchers for years, LinkedIn's deployment of it at scale — to build advertising and recruitment profiles from users' installed software — represents a significant escalation from theoretical attack to commercial exploitation.
A European privacy investigation published at browsergate.eu has documented LinkedIn systematically scanning users' computers through the browser — not by installing malware, but by exploiting standard browser APIs to detect which applications are installed locally. The investigation landed on Hacker News with a score exceeding 1,200, making it one of the highest-signal privacy stories of the week.
The core technique is custom URL protocol handler probing. Every application that registers a protocol handler (`slack://`, `zoom://`, `spotify://`, `ms-teams://`) creates a detectable fingerprint. LinkedIn's JavaScript attempts to invoke these handlers and observes the browser's response to build a profile of what's installed on your machine. When an app is installed, the browser behaves differently than when it isn't — a timing difference, a navigation attempt, or an error response that reveals the answer. No file system access required. No permissions prompt shown.
This isn't a novel technique. Security researchers have documented protocol handler probing for years. What makes the browsergate.eu investigation notable is the specificity: it names LinkedIn, documents the behavior with network traces, and frames it squarely within European privacy law. The .eu domain isn't coincidental — this is aimed at EU regulators.
The legal argument is straightforward and strong. Article 5(3) of the ePrivacy Directive — the same provision that spawned every cookie consent banner you've ever clicked — doesn't just cover cookies. It covers any access to information stored on a user's terminal equipment. Probing which applications are installed on someone's computer is accessing information stored on their device, full stop. The directive requires prior informed consent for this access, with narrow exceptions for technical necessity. LinkedIn knowing you have Salesforce installed is not technically necessary to show you a feed of professional updates.
GDPR layers on additional requirements. The installed application list constitutes personal data — it's a fingerprint that can identify or profile an individual. Processing this data requires a lawful basis. Legitimate interest, LinkedIn's likely defense, requires a balancing test that weighs the company's interest against the user's reasonable expectations. Most users do not expect that visiting linkedin.com will inventory their desktop software.
The precedent this sets matters more than the specific violation. If LinkedIn — a Microsoft subsidiary with one of the largest legal teams in tech — is doing this without consent mechanisms, smaller companies are almost certainly doing it too. The technique is trivial to implement: a few dozen lines of JavaScript, no server infrastructure required, and until now, minimal enforcement risk.
The Hacker News discussion surfaced several important technical points. Protocol handler detection has been an open fingerprinting vector for over a decade. Browser vendors have incrementally restricted it — Chrome added a permission prompt for some protocol navigations, Firefox has tightened its handler detection — but the arms race continues. Each browser handles the detection differently, which paradoxically makes the fingerprint more unique: not only does LinkedIn learn what apps you have, but the detection pattern reveals your browser type and version.
Some commenters noted that this sits on a spectrum with other browser fingerprinting techniques: canvas fingerprinting, WebGL renderer strings, font enumeration, AudioContext hashing. But protocol handler probing is qualitatively different. Those techniques infer information from how the browser renders content. Protocol handler probing directly interrogates your operating system about what software you've installed. It's the difference between looking at someone's shoes to guess their income and rifling through their closet.
For developers who want to understand (or audit) this behavior, the detection typically works through one of several methods:
Navigation timing: JavaScript creates a hidden iframe and attempts to navigate it to a custom protocol URL. If the protocol handler exists, the navigation behavior differs measurably from a failed navigation. Timing the response reveals the answer.
Blur/focus detection: When a protocol handler fires and an application opens (even briefly), the browser window loses focus. JavaScript's `blur` event fires, confirming the app exists.
Error handling differences: Some browsers throw distinguishable errors for "unknown protocol" vs. "user declined to open" — the error type itself reveals whether the handler is registered.
Modern browsers have been closing these channels, but the cat-and-mouse game continues. Chrome's `navigator.protocolHandlerPermission` API and Firefox's about:config restrictions have reduced the attack surface, but cross-browser inconsistencies mean determined actors can still extract signal.
If you're building web applications that serve EU users, this investigation should trigger a compliance review. The key question isn't whether you're doing exactly what LinkedIn is doing — it's whether any of your JavaScript touches device-resident information without consent.
Audit your third-party scripts. If you embed LinkedIn's tracking pixel, share buttons, or advertising SDKs, you may be a vector for this behavior. The investigation focuses on linkedin.com directly, but third-party embeds execute in your page's context. Under GDPR's joint controller provisions, you could share liability for data collection performed by scripts you chose to embed.
Review your own fingerprinting. If your fraud detection, bot mitigation, or analytics stack uses canvas fingerprinting, WebGL probing, or font enumeration, the same ePrivacy Article 5(3) analysis applies. The "strictly necessary" exception is narrow — fraud prevention has a stronger case than analytics, but neither is automatic.
Watch the enforcement timeline. EU Data Protection Authorities have been increasingly aggressive on tracking technologies. The French CNIL fined Microsoft €60M in 2022 over Bing's advertising cookies. LinkedIn, also a Microsoft property, is now under a similar spotlight. If a DPA opens a formal investigation, the precedent will ripple across every company using browser-based device probing.
For frontend developers specifically: test your sites with browser developer tools looking for protocol handler invocations you didn't write. Check the Network tab for unexpected navigations to custom schemes. Review your Content Security Policy — a strict `navigate-to` directive can block unauthorized protocol navigations, though browser support remains inconsistent.
This investigation is part of a broader pattern: privacy researchers are systematically documenting the gap between what browsers permit and what privacy law allows. The browser is the last unregulated frontier — it sits on the user's device, executes arbitrary code from remote servers, and has access to a startling amount of local information. LinkedIn's protocol handler probing is legal in the US, questionable in the UK, and almost certainly illegal in the EU without consent. As browser vendors continue tightening APIs and regulators continue expanding enforcement, the window for silent device probing is closing. The companies that get ahead of this will save themselves the cost of a CNIL investigation. The ones that don't will learn that "everyone does it" has never been a valid legal defense.
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.