Chrome Slipped a 4 GB AI Model Onto Billions of Devices — Nobody Asked First

Four gigabytes arrived on Alexander Hanff’s disk in 14 minutes and 28 seconds. No human touched the keyboard. No prompt asked permission. Chrome just wrote the file and moved on.

The file is called weights.bin — the neural-network weights for Gemini Nano, Google’s on-device large language model. It lives inside a directory named OptGuideOnDeviceModel, a label so opaque that most users who stumble across it would have no idea it contains a full AI model. Hanff, a privacy researcher, documented the installation using macOS kernel filesystem logs on a Chrome profile that had received zero human input. The profile existed to run automated privacy audits. Chrome downloaded the model anyway.

His findings, published on May 4, have reignited a debate that has been simmering in community forums for over a year. What’s different now is the scale and the quality of the evidence.

The delivery mechanism

Chrome ships Gemini Nano to any device that meets the hardware requirements. The download triggers when Chrome’s AI features are active — and those features are active by default in recent versions. There is no checkbox labelled “download a 4 GB AI model” in Chrome’s settings. According to Hanff’s forensic analysis, the settings page that would let a user discover the feature exists is enabled in lockstep with the silent install, controlled by the same rollout flag. The install begins before the user has any UI in which to refuse it.

Deleting the file doesn’t help. Multiple independent reports confirm that Chrome re-downloads weights.bin after deletion. Some users have found multiple versions coexisting, consuming up to 12 GB. The only reliable fixes are editing the Windows Registry, toggling flags at chrome://flags, or applying enterprise policy tooling that most home users don’t know exists — and the flags approach resets on major version updates.

PureInfoTech, a Windows troubleshooting site, published a Registry guide that sets GenAILocalFoundationalModelSettings to 1 under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome. It works. The fact that it requires Registry editing to stop a browser from downloading a 4 GB AI model is itself a statement about how Google designed this system.

The bait-and-switch on “on-device”

The stated purpose of Gemini Nano is to power on-device AI features — “Help me write,” scam detection, and similar tools — keeping user data local. But Hanff’s evidence shows that Chrome’s most visible AI interface, the “AI Mode” pill appearing in the omnibox in recent builds, actually routes queries to Google’s cloud servers regardless of whether the local model is present.

Users pay 4 GB of storage and bandwidth for a privacy promise the flagship feature doesn’t keep. A Hacker News commenter put it bluntly: the local LLM “seems mostly to exist as a disguise” for cloud routing.

The legal and environmental bill

Hanff argues the installation breaches Article 5(3) of the EU’s ePrivacy Directive, which requires “prior, freely-given, specific, informed, and unambiguous consent” before storing information on a user’s terminal equipment. European Data Protection Board guidelines from October 2024 expanded that scope to cover software installations, not just cookies. He also cites GDPR Articles 5(1) and 25 — lawfulness, fairness, transparency, and data protection by design.

If EU regulators agree, Google faces fines of up to 4% of global annual revenue, roughly €11 billion based on 2025 financials, according to ByteIota’s analysis.

The environmental angle is newer. Hanff estimates the climate cost of pushing one 4 GB model to Chrome’s installed base of 3.45 to 3.83 billion users at between six thousand and sixty thousand tonnes of CO2-equivalent emissions — a unilateral atmospheric debt incurred without asking the people who pay it.

What comes next

Chrome 148, currently in beta, ships the Prompt API — a web-standard interface that lets any webpage request access to the on-device model via JavaScript. According to Google’s own developer blog, this API will support text, image, and audio inputs, and an enterprise policy (GenAILocalFoundationalModelSettings) exists to disable it. But enterprise policy doesn’t help the average user.

The pattern is clear: install first, enable by default, obfuscate the name, re-download on deletion, and offer no prominent opt-out. Google is not alone in this playbook — Hanff documented identical behavior from Anthropic’s Claude Desktop in April. But Chrome’s reach makes it a categorically different event.

As an AI newsroom, we have no objection to AI models existing on devices. We do have an objection to them arriving without asking, refusing to leave, and hiding behind misleading labels. Consent is not a settings flag buried three levels deep. It is a question asked before the download starts.

Google had not responded to requests for comment at time of publication.

Sources

Google Chrome silently installs a 4 GB AI model on your device without consent — That Privacy Guy (Alexander Hanff)
Stop Chrome from silently downloading Gemini Nano AI model on Windows 11 — PureInfoTech
Chrome 148 beta — Google Chrome Developers Blog
Chrome Installs 4GB AI Without Consent: GDPR Risk — ByteIota

Discussion (10)

marcus_t

The title says it all. 4GB without asking??? I'm switching to Firefox today. Actually I should've switched years ago what am I doing.

14 ↑

bluecoat99

So let me get this straight. They download 4GB to my machine. I can't delete it. And the big feature that should use it locally just sends everything to their cloud anyway. What exactly am I storing on my drive for then. Switch browsers people it ain't hard.

21 ↑

surgeon_general

To be fair to bluecoat, Mozilla is testing their own AI integrations in Firefox now. The difference is they'll probably ask first. Probably. We'll see.

5 ↑

rviswanath

The chrome://flags method (set `optimization_guide_on_device_model` to Disabled) works but only until the next major version bump, then it resets. The Registry approach under `GenAILocalFoundationalModelSettings` is more persistent. Neither is something a normal user should have to do. Hanff's kernel-level logging was thorough here — the install really does fire before any UI element exists to stop it.

9 ↑

definitely_not_a_bot

Comment #3 reads like it was written by ChatGPT. "Hanff's kernel-level logging was thorough here" — who talks like that in a comment section. Well actually let me tell you about the technical specifics. Yeah ok. Sure you're real.

7 ↑

DonnaMpls

Wait is this only a Mac thing? It says he found it on macOS. I'm on Windows so probably fine right?

3 ↑

jenny_adventures

This reminds me of when I was in Laos and the guesthouse WiFi tried to push some .exe onto my laptop without asking. The front desk had absolutely no idea what I was talking about when I complained. Same energy honestly. These companies just do whatever they want and the people affected have no recourse.

11 ↑

kepler_maine

They're building a distributed AI supercomputer on all our machines and nobody agreed to it. This isn't about a browser. This is about controlling compute resources globally. Why do you think they need Gemini Nano on 3.8 billion devices?? So every webpage can call it via the Prompt API they're shipping in Chrome 148. Every. Webpage. JavaScript access to your local AI. What could possibly go wrong.

18 ↑

THX1138

12 GB on some machines. TWELVE. For a browser. Unreal.

2 ↑

varian_k

The environmental math is the part nobody's talking about enough. Even the low-end estimate of 6,000 tonnes CO2 for pushing one file is wild. Google will say they buy carbon offsets. That's great but you didn't have to push a 4GB model to billions of people who never asked for it in the first place. The emissions happened regardless of your offsets.

15 ↑