Microsoft is not just reading your resume anymore.

A new investigation by security research group BrowserGate has uncovered hidden code embedded in LinkedIn that actively scans visitors computers for installed software. Not cookies. Not browsing habits. The actual programs sitting on your hard drive. The results are transmitted back to LinkedIn and, according to the researchers, shared with third-party cybersecurity firms.

The story exploded to the number one spot on HackerNews with over 655 points and 324 comments, and for good reason: this is not some anonymous data collection play. LinkedIn knows exactly who you are. Your real name. Your employer. Your job title. Your entire professional network. When you pair that identity data with a full inventory of what software someone runs, you do not have analytics. You have an industrial surveillance operation targeting a billion professionals.

How It Works

According to the BrowserGate investigation, LinkedIn embeds JavaScript that probes the browser environment to detect installed applications. The technique exploits protocol handlers and other browser fingerprinting methods to build a profile of what tools, development environments, and enterprise software each visitor uses. This happens silently, without any consent prompt or disclosure in LinkedIn standard privacy policy.

The implications are staggering. A competitor could learn what CRM your sales team uses. A recruiter could see what coding tools a developer runs. An adversary could map the security software deployed across an entire organisation, one employee profile at a time.

Why This Is Bigger Than a Privacy Violation

Most data collection controversies involve anonymous tracking. That is bad enough. But LinkedIn is unique because it has verified professional identities attached to every data point. When Facebook tracks your browsing, it knows a user ID visited certain sites. When LinkedIn scans your computer, it knows that Jane Smith, Senior Engineer at Lockheed Martin, runs specific development tools and security software.

That is not data collection. That is intelligence gathering. And it is happening to every professional who visits the platform.

Microsoft Has Not Responded

As of publication, neither LinkedIn nor Microsoft has issued a public response to the BrowserGate findings. The developer community is already calling for regulatory investigation, with commenters on HackerNews drawing comparisons to the kind of software scanning that would typically require a warrant if conducted by a government agency.

Here is the uncomfortable question nobody at Microsoft wants to answer: if a foreign government embedded code on a website that scanned the computers of a billion professionals and mapped their employers software stack, we would call it espionage. When Microsoft does it through LinkedIn, we are supposed to call it a feature.

The AI and tech industry has spent the last year debating whether chatbots are safe. Maybe it is time to ask whether the platforms we already trust are safe either.