Inside LinkedIn's Surveillance Engine: 48 Browser Fingerprints, Hidden Iframes, and What Firefox Users Should Know
Date: April 3, 2026 · Author: Karma-X Security Research Team
Category: Privacy & Surveillance Research · Methodology: Independent JavaScript analysis using proprietary Karma-X tools
Related Research: BrowserGate (Fairlinked e.V.) · LinkedIn
Executive Summary
LinkedIn, a Microsoft-owned platform with over 1 billion users, embeds an extensive surveillance infrastructure in its production JavaScript that goes far beyond standard web analytics. Our independent analysis of 16.2 megabytes of JavaScript served to a logged-in Firefox user on the LinkedIn feed page reveals a multi-layered fingerprinting system that collects 48 distinct browser characteristics, encrypts them with RSA, and transmits them on every subsequent API request via an injected HTTP header.
This system—internally designated APFC (Anti-fraud Platform Features Collection) / DNA (Device Network Analysis)—operates alongside three third-party surveillance integrations: HUMAN Security (PerimeterX) via a hidden off-screen iframe, Merchant Pool device fingerprinting, and Google reCAPTCHA v3 Enterprise with a deliberately hidden badge. The entire apparatus is controlled by LinkedIn's internal LIX experimentation system, allowing A/B testing of surveillance features on unknowing users.
While the recent BrowserGate research by Fairlinked e.V. documented these systems with a focus on Chrome extension scanning, our analysis reveals that Firefox users are subjected to nearly the full surveillance stack—minus the extension scanning—and in some ways are more uniquely identifiable due to Firefox-specific API responses.
Methodology
The Karma-X Security Research Team captured all JavaScript served to a logged-in Firefox user on https://www.linkedin.com/ (the feed page) using proprietary JavaScript analysis tools developed for security research. The capture yielded 16 scripts totaling 16.2MB, which were then subjected to:
- Static analysis: Pattern matching for fingerprinting APIs, tracking endpoints, encryption routines, and surveillance infrastructure
- Behavioral analysis: Runtime monitoring of network calls, cookie access, DOM mutations, and cross-script data flows
- Cross-reference: Systematic comparison against BrowserGate's published findings to independently verify claims
- Firefox-specific analysis: Identification of code paths that branch on browser type and APIs that behave differently in Firefox
chunk.905) that was not loaded during our Firefox session—which itself confirms that the extension scanning system is Chrome-only.
The APFC/DNA Fingerprinting Engine
At the core of LinkedIn's surveillance infrastructure is the APFC system, found in vendor-CUWVes2N.es.js (2MB). This system collects 48 browser characteristics through a component-based architecture, where each feature has a dedicated collection function:
// Extracted from vendor-CUWVes2N.es.js — the full APFC feature collection
{key:"webrtc",getData:eu.webRtcKey,shouldEnforceDataLimit:!0,dataLimit:1e3},
{key:"enumerateDevices",getData:eu.enumerateDevicesKey,dataLimit:22e3},
{key:"canvas",getData:eu.canvasKey},
{key:"webgl",getData:eu.webglKey,shouldEnforceDataLimit:!0,dataLimit:6e3},
{key:"audio",getData:eu.audioKey},
{key:"battery",getData:eu.batteryKey},
{key:"fonts",getData:eu.fontsComponent},
{key:"hardwareConcurrency",getData:eu.hardwareConcurrencyKey,alias:"numOfCores"},
{key:"deviceMemory",getData:eu.deviceMemoryKey},
{key:"incognito",getData:eu.incognitoKey},
{key:"automation",getData:eu.automationKey},
{key:"doNotTrack",getData:eu.doNotTrackKey},
{key:"webdriver",getData:eu.webdriver},
{key:"signals",getData:eu.signalsKey}, // Browser lie detection
// ... 34 more featuresCanvas Fingerprinting
The canvas fingerprint renders specific text with specific fonts and compositing operations to produce a hash that varies by browser engine, GPU, and operating system:
// Canvas fingerprint generation — renders hidden element
ef.width=2e3, ef.height=200, ef.style.display="inline";
var em = ef.getContext("2d");
em.rect(0,0,10,10), em.rect(2,2,6,6);
em.font = "11pt no-real-font-123";
em.fillText("Cwm fjordbank glyphs vext quiz, 😃", 2, 15);
em.fillStyle = "rgba(102, 204, 0, 0.2)";
em.font = "18pt Arial";
em.fillText("Cwm fjordbank glyphs vext quiz, 😃", 4, 45);
// ... additional rendering operations ...
ef.toDataURL&&(ed.canvasHash = el.x64hash128(ef.toDataURL(), 23))Audio Fingerprinting
The system creates an OfflineAudioContext, generates a triangle wave oscillator, pipes it through a dynamics compressor, and hashes the output. Different browser audio engines produce distinct fingerprints:
var em = new OfflineAudioContext(1, 44100, 44100),
eg = em.createOscillator();
eg.type = "triangle";
eg.frequency.setValueAtTime(1e4, em.currentTime);
var ey = em.createDynamicsCompressor();
// [threshold:-50, knee:40, ratio:12, reduction:-20, attack:0, release:0.25]WebRTC Local IP Collection
// Attempts to collect local network IP addresses
{key:"getIPs",value:function(el,eu){
var ef = new (window.RTCPeerConnection ||
window.webkitRTCPeerConnection ||
window.mozRTCPeerConnection)(
{iceServers:[{urls:"stun:stun.l.google.com:19302"}]}
);
// ... collects ICE candidates containing local IPs ...Browser Lie Detection
Perhaps most telling of the system's intent is the "signals" feature, which actively tests whether the user is spoofing their browser identity:
liedLanguages: function(){ return eu.getHasLiedLanguages() },
liedResolution: function(){ return eu.getHasLiedResolution() },
liedOS: function(){ return eu.getHasLiedOs() },
liedBrowser: function(){ return eu.getHasLiedBrowser() }
// Example: detects if reported OS doesn't match browser behavior
{key:"getHasLiedOs",value:function(){
var eu = navigator.userAgent.toLowerCase(),
ed = navigator.oscpu, // Firefox-only property
ef = navigator.platform;
// ... cross-references UA, oscpu, and platform for inconsistencies
}}oscpu property is Firefox-specific—Chrome returns undefined. LinkedIn's lie detection code uses this Firefox-only API to cross-reference the user agent string, meaning it can detect Firefox users who spoof their user agent as Chrome. Users employing browser fingerprint protection are actively identified.
Do Not Track: Collected, Then Ignored
The APFC system collects the user's Do Not Track preference:
{key:"getDoNotTrack",value:function(el){
return navigator.doNotTrack ? navigator.doNotTrack :
navigator.msDoNotTrack ? navigator.msDoNotTrack :
window.doNotTrack ? window.doNotTrack :
el.NOT_AVAILABLE
}}But as BrowserGate documents, the DNT value is then excluded from the fingerprint hash. LinkedIn records that you asked not to be tracked, then proceeds to track you. Your preference becomes just another data point in your profile.
RSA Encryption and HTTP Header Injection
After collection, the fingerprint payload is encrypted with a hardcoded RSA public key identified as apfcDfPK and stored on globalThis.apfcDf. It is then injected as an HTTP header on every subsequent API request:
{key:"runHeaderInjectionInterceptorLogic",value:function(el,eu,ed){
if(ed && ed.isSyncEnabledWithHeaders && el && eu &&
void 0 !== tl.get(el) && globalThis.apfcDfAllH)
try{
var ef = JSON.stringify(globalThis.apfcDfAllH);
ef.length > 6e3 && (ef = ef.substring(0, 6e3));
eu.set("X-Li-Apfc-Data", ef) // Up to 6KB of fingerprint data per request
}catch(el){}
}}X-Li-Apfc-Data header carries up to 6 kilobytes of encrypted fingerprint data on every single API request your browser makes to LinkedIn. This means your device fingerprint is transmitted hundreds of times during a typical browsing session—not just once at page load.
Third-Party Surveillance Integrations
1. HUMAN Security (PerimeterX) — Hidden Iframe
LinkedIn loads a hidden iframe from li.protechts.net, positioned off-screen at left: -9999px:
ev = this.isProd() ? "PXdOjV695v" : "PXgoH0hfKu"; // Production app ID
eb = ed.getBcookie(); // LinkedIn session cookie
ew = "https://li.protechts.net/index.html?ts=" + ey +
"&r_id=" + encodeURIComponent(eg) +
"&app_id=" + ev + "&uc=scraping";
// Hidden iframe positioning
ek.style.position = "absolute";
ek.style.left = "-9999px";
document.body.appendChild(ek);
This iframe runs HUMAN Security's bot detection, reading and writing cookies: _px3, _pxhd, _pxvid, and pxcts. The entire system is invisible to the user.
2. Merchant Pool — Additional Device Fingerprinting
var ep = ed.getBcookie(),
eg = this.isProd() ?
"fb6bbd47-fa7c-4264-b4e9-b25948407586" : // Production instance
"ee078acd-0704-4344-9e5b-6b84b480c30a"; // Staging instance
var ey = "https://merchantpool1.linkedin.com/mdt.js?session_id="
.concat(ep, "&instanceId=").concat(eg);3. Google reCAPTCHA v3 Enterprise — Hidden Badge
// reCAPTCHA loaded on every page with invisible execution
eg.src = "https://www.google.com/recaptcha/enterprise.js?render=" + em;
window.grecaptcha.enterprise.execute(
"6LcIy_MqAAAAAMKiupFSbmzW3xjGSlIfRzNWYMjC",
{action: "onPageLoad"}
);
// Badge deliberately hidden from user
var el = document.querySelector(".grecaptcha-badge");
el && (el.style.display = "none");display: none without the required attribution text may violate these terms.
The LIX Experimentation System
All of these surveillance features are controlled by LinkedIn's internal LIX (LinkedIn Experimentation) system, allowing the company to A/B test surveillance features on different user populations:
| LIX Flag | Controls |
|---|---|
pemberly.tracking.fireApfcEvent | DNA fingerprint collection activation |
pemberly.tracking.human.integration | HUMAN Security (PerimeterX) iframe |
pemberly.tracking.dfp.integration | Merchant Pool device fingerprinting |
pemberly.tracking.recaptcha.v3 | Google reCAPTCHA v3 Enterprise |
pemberly.tracking.apfc.network.interceptor | Network request interception |
sync.apfc.headers | HTTP header fingerprint injection |
sync.apfc.couchbase | Server-side fingerprint storage |
pemberly.web.ondemand | On-demand fingerprint collection mode |
The use of experimentation flags means that not all users see the same surveillance. Some may have certain features enabled while others don't, making it difficult for researchers to reproduce findings consistently. This is itself a form of evasion—if a privacy researcher is placed in a control group, they may conclude the tracking doesn't exist.
Behavioral Surveillance: The como Framework
Beyond device fingerprinting, LinkedIn's como-YRLD7XWd.es.js (262KB) implements comprehensive behavioral surveillance:
- ImpressionRecordManager: Tracks exactly which content enters your viewport, for how long, and at what scroll position
- Tab visibility monitoring: Knows when you switch away from the LinkedIn tab and how long you're gone
getDnaSignalPromise: A function exported from the como framework that bridges to the APFC fingerprinting system—the name suggests persistent device-level identification- Sensor collection: Reports detailed metrics to
/sensorCollect/?action=reportMetrics - li/track endpoint: Batches up to 29 events per request to
https://www.linkedin.com/li/track
Tealium: The Additional Tracking Layer
Separate from LinkedIn's own fingerprinting, the dynamically injected utag.js (148KB) from platform.linkedin.com is Tealium's tag management system, orchestrating:
- Adobe Audience Manager (DIL v9.4, partner ID:
lnkd) — behavioral profiling for ad targeting - Adobe Visitor ID Service (org:
14215E3D5995C57C0A495C55) — persistent visitor IDs with 6-month cookie lifetime - Google Consent Mode — conditional analytics loading
RDlocalStorage and RDsessionStorage functions. This means any sensitive data stored by other scripts, browser extensions, or web applications in browser storage can be read and transmitted by LinkedIn's tag manager. This is indiscriminate data collection that extends beyond LinkedIn's own data.
Data is transmitted to:
| Domain | Purpose |
|---|---|
demdex.net | Adobe Audience Manager (cross-site tracking) |
*.2o7.net | Adobe Analytics (Omniture) |
*.omtrdc.net | Adobe Target (A/B testing & personalization) |
googletagmanager.com | Google Tag Manager |
li.protechts.net | HUMAN Security (PerimeterX) |
merchantpool1.linkedin.com | Merchant Pool fingerprinting |
What Firefox Users Need to Know
The BrowserGate research focused primarily on Chrome. Our analysis reveals the full picture for Firefox users:
What Firefox Users Are Spared
- Extension scanning: The
chrome-extension://URL probing (6,222+ extension IDs) is completely skipped on Firefox. The code checksisUserAgentChrome()before executing. - Battery API: Firefox removed
navigator.getBattery()in Firefox 52 (2017) due to fingerprinting concerns. The APFC system receivesNOT_AVAILABLEfor this feature.
What Firefox Users Still Face
| Surveillance System | Active on Firefox? | Notes |
|---|---|---|
| APFC/DNA fingerprinting (48 features) | Yes | 46 of 48 features active (battery & some WebRTC limited) |
| Canvas fingerprinting | Yes | Different hash than Chrome (Gecko vs Blink rendering) |
| WebGL fingerprinting | Yes | Different vendor/renderer strings |
| Audio fingerprinting | Yes | Different DSP pipeline produces distinct hash |
| WebRTC IP collection | Partial | Firefox uses mDNS candidates (more private) |
| HUMAN Security iframe | Yes | Hidden iframe loaded identically |
| Merchant Pool | Yes | Same fingerprinting script loaded |
| reCAPTCHA v3 Enterprise | Yes | Hidden badge, same behavioral analysis |
| Lie/spoof detection | Yes | Uses oscpu (Firefox-only) for cross-referencing |
| Incognito detection | Yes | Different detection vectors per browser |
| Automation detection | Yes | Firefox-specific Selenium/webdriver checks |
| HTTP header injection | Yes | X-Li-Apfc-Data on every request |
| Extension scanning | No | Chrome-only (chrome-extension://) |
The Firefox Paradox
Ironically, Firefox users may be more uniquely identifiable in certain respects. Because Firefox has a smaller market share and different API implementations, the combination of:
- A Gecko-specific canvas hash (different from the Chrome majority)
- The presence of
navigator.oscpu(absent on Chrome) - The absence of Battery API data (removed from Firefox)
- Different WebGL renderer strings
- mDNS WebRTC candidates instead of raw IPs
...creates a fingerprint that stands out precisely because it's different from the Chrome majority. The APFC system's feature index mapping (with 48 indexed features) can trivially distinguish Firefox from Chrome users, and the smaller Firefox population makes individual identification within that subset easier.
"Chrome" !== ef || !0 !== navigator.webdriver ?
"Firefox" === ef &&
window.document.documentElement.getAttribute("webdriver") ||
"_Selenium_IDE_Recorder" in window ||
"__webdriver_script_fn" in document ?
el("Selenium") : ...Stealth Execution Techniques
LinkedIn's surveillance code employs several techniques to avoid detection and minimize performance impact:
requestIdleCallback: Fingerprint collection is deferred until the browser is idle, preventing visible performance degradation that might alert users- LZ compression: Fingerprint payloads are compressed before transmission to reduce bandwidth footprint
- Off-screen positioning: The HUMAN Security iframe is placed at
left: -9999px—present in the DOM but invisible - Hidden reCAPTCHA badge: The legally-required reCAPTCHA indicator is suppressed with
display: none - Batch transmission: Events are batched (up to 29 per request) to reduce the number of visible network requests
- Meaningful paint trigger: Collection begins only after
mark_meaningful_paint_end, ensuring the page appears to have loaded before surveillance begins
Verification Status: BrowserGate Cross-Reference
Our independent analysis corroborated the vast majority of BrowserGate's findings. The following table summarizes our verification:
| BrowserGate Finding | Independently Verified? | Location in Our Capture |
|---|---|---|
| APFC/DNA fingerprinting engine | ✅ YES | vendor-CUWVes2N.es.js |
| 48 fingerprint features | ✅ YES | vendor-CUWVes2N.es.js |
| Canvas fingerprinting | ✅ YES | vendor-CUWVes2N.es.js |
| WebGL fingerprinting (65+ params) | ✅ YES | vendor-CUWVes2N.es.js |
| Audio fingerprinting | ✅ YES | vendor-CUWVes2N.es.js |
| WebRTC IP collection | ✅ YES | vendor-CUWVes2N.es.js |
| RSA encryption (apfcDfPK) | ✅ YES | vendor-CUWVes2N.es.js |
| li/track endpoint (batch: 29) | ✅ YES | vendor-CUWVes2N.es.js, como |
| HUMAN Security iframe (PXdOjV695v) | ✅ YES | vendor-CUWVes2N.es.js |
| Hidden iframe at -9999px | ✅ YES | vendor-CUWVes2N.es.js |
| Merchant Pool (fb6bbd47-...) | ✅ YES | vendor-CUWVes2N.es.js |
| reCAPTCHA v3 Enterprise | ✅ YES | vendor-CUWVes2N.es.js |
| All 8+ LIX feature flags | ✅ YES | vendor-CUWVes2N.es.js |
| X-Li-Apfc-Data header injection | ✅ YES | vendor-CUWVes2N.es.js |
| DNT collected then excluded | ✅ YES | vendor-CUWVes2N.es.js |
| Browser lie detection | ✅ YES | vendor-CUWVes2N.es.js |
| LZ compression | ✅ YES | vendor-CUWVes2N.es.js |
| requestIdleCallback stealth | ✅ YES | vendor-CUWVes2N.es.js, como |
| Chrome extension scanning (AED) | ❌ Not captured | In chunk.905 (not loaded on Firefox) |
| 6,222 extension ID array | ❌ Not captured | In chunk.905 (Chrome-only) |
| Privacy Sandbox APIs | ❌ Not found | Not used by LinkedIn |
Recommendations for Users
- Block Tealium: Adding
platform.linkedin.com/litms/utag/to your blocker removes Adobe and Google tracking without breaking LinkedIn functionality - Use Firefox with Enhanced Tracking Protection: Set to "Strict" mode to block known fingerprinting domains including
demdex.netand2o7.net - Block Third-Party Cookies: Prevents
_px3,_pxhd,_pxvid, andpxctsfrom persisting across sessions - Use uBlock Origin: With the "Fingerprinting Protection" filter list, many of the canvas and WebGL fingerprinting calls can be neutralized
- Disable WebRTC (if not needed): Set
media.peerconnection.enabledtofalseinabout:configto prevent IP leaks - Consider Tor Browser: For maximum privacy, Tor Browser normalizes many fingerprinting vectors, though LinkedIn may restrict functionality
For Security Researchers
- Monitor
X-Li-Apfc-Data: Check your browser's network inspector for this header on LinkedIn API requests—its presence confirms active fingerprint injection - Watch for
li.protechts.net: The HUMAN Security iframe is a strong indicator of active behavioral surveillance - Track
globalThis.apfcDf: In the browser console, check if this global variable is set—it contains your encrypted fingerprint - Investigate
getDnaSignalPromise: This function in the como framework deserves further research as a potential persistent device fingerprinting mechanism
Broader Implications
LinkedIn's surveillance infrastructure raises fundamental questions about the boundaries of "anti-fraud" technology. While device fingerprinting can serve legitimate security purposes—detecting bot accounts, preventing credential stuffing—the scope documented here goes considerably further:
- 48-feature fingerprinting goes far beyond what's needed for bot detection
- Behavioral surveillance (viewport tracking, tab visibility, scroll position) constitutes user monitoring, not fraud prevention
- Storage sweeping by the Tealium tag manager accesses data beyond LinkedIn's own domain
- Hidden iframes and suppressed badges suggest an intent to avoid user awareness
- A/B testing of surveillance via LIX flags means the system's scope can change without notice
Under the EU's General Data Protection Regulation (GDPR), device fingerprinting constitutes processing of personal data and typically requires explicit consent. The extent to which LinkedIn's cookie consent mechanisms adequately inform users about the full scope of this fingerprinting system warrants examination by data protection authorities.
Conclusion
Our independent analysis of LinkedIn's production JavaScript confirms that the platform operates a sophisticated, multi-layered surveillance infrastructure that extends well beyond conventional web analytics. Firefox users, while spared the Chrome extension scanning documented by BrowserGate, are subjected to nearly the complete fingerprinting and behavioral surveillance stack.
The combination of 48-feature device fingerprinting, encrypted payload injection on every API request, hidden third-party iframes, storage sweeping, and behavioral monitoring creates a surveillance apparatus that is difficult for users to detect, understand, or meaningfully consent to. The use of experimentation flags to selectively enable and disable surveillance features adds another layer of opacity.
We publish these findings to enable informed decision-making by LinkedIn users and to support the work of privacy researchers and regulators examining these practices. The Karma-X Security Research Team remains committed to transparency in how platforms handle user data.