Google is facing a serious privacy backlash after a security researcher proved that Chrome has been quietly installing a 4GB AI model file onto user devices without asking for consent, without sending a notification, and without offering an opt-out. The story went viral across developer and privacy communities this week and is now drawing legal scrutiny under European data protection law.
Security researcher Alexander Hanff, known as ThatPrivacyGuy, reports that Chrome has been silently installing Gemini Nano, Google's on-device AI model, as a file called weights.bin stored in the OptGuideOnDeviceModel directory within users' Chrome profiles. This 4GB download happens automatically when Chrome determines your device meets the hardware requirements. It does not ask for consent and sends no notification. And if you discover the file and delete it, Chrome simply downloads it again. Malwarebytes
What the Model Actually Does
The Gemini Nano model powers features like "Help me write" text composition assistance, on-device scam detection, and a Summarizer API that websites can call directly. These features are enabled by default in some recent Chrome versions. Malwarebytes
The practical problem is that most users have no idea this file is sitting on their machine. Chrome 147 renders an "AI Mode" pill in the address bar - the most visible piece of real estate in the browser. A reasonable user in 2026, knowing Chrome has silently installed an on-device AI model, would assume the visible "AI Mode" label means their queries stay on the device. However, AI Mode routes to Google's servers regardless, while the 4GB local model sits on the disk powering features users likely haven't found yet. Medium
The Legal Exposure
Hanff says that the silent installation of the model could potentially be illegal in several jurisdictions. Laws he claims it may violate include the ePrivacy Directive Article 5(3), which prohibits storing information on user terminal equipment without prior consent, and GDPR Article 5(1) and GDPR Article 25, which promote transparency and data protection by design and by default. Neowin
Chrome's market share has held above 64% globally, with a user base estimated between 3.45 billion and 3.83 billion individuals worldwide. At that scale, the question of whether Chrome's automatic AI model deployment requires explicit user consent has genuine regulatory teeth. That Privacy Guy!
