Google Chrome Installed a 4GB AI Model on Your PC Without Asking

Google Chrome Quietly Installed a 4GB AI Model on Your Computer. You Never Said Yes.

Chrome has been pushing Gemini Nano to billions of devices through its background update system, without a prompt, without a notification, and without an easy way out. The backlash has been loud. Google's response has been thin.

• 4GB Gemini Nano model pushed silently to Chrome users
• 3.5B Chrome users worldwide potentially affected
• 0 Consent prompts shown before the download

Security researcher Alexander Hanff was running a routine automated audit in late April when he noticed something off. A fresh Chrome profile he had created for testing, one that had never received a single keystroke from a human user, had quietly accumulated 4 gigabytes of data in a folder called OptGuideOnDeviceModel. Inside it: a file named weights.bin. The file contained the model weights for Gemini Nano, Google's on-device AI. Nobody had asked for it. Nobody had been told it arrived. And when Hanff deleted it, Chrome downloaded the whole thing again on the next restart.

His writeup went everywhere fast, and for good reason. This is not a bug. It is a design decision, and it affects potentially hundreds of millions of machines running Chrome across Windows, Mac, and Linux right now.

What Exactly Got Installed, and What Does It Do

Gemini Nano is the smallest model in Google's Gemini family, built specifically to run locally on device rather than calling out to cloud servers. Chrome has been integrating it through something called the Prompt API, which lets websites and Chrome's own features call the model directly. The on-device capabilities it powers include a "Help me write" text assistant, real-time scam detection in the address bar, a Summarizer API that websites can invoke, and translation features.

The model has been baked into Chrome progressively since 2024, but it was 1.5GB back then. At 4GB now, it crossed a threshold where a lot of people actually noticed it. On machines with limited storage, older SSDs, or metered connections, a silent 4GB push is not a trivial event. In parts of the world where 4GB represents an entire month's mobile data allowance, this is genuinely disruptive.

"Chrome did not ask. Chrome does not surface it. If the user deletes it, Chrome re-downloads it." — Alexander Hanff, security researcher

The bigger technical issue is one of architecture. Chrome's component update system, which normally handles security patches and codec updates in the background, was used to deliver what is functionally a product feature: a new AI inference capability. Users implicitly accept background security updates as a condition of running a browser. They have not similarly accepted silent deployment of new AI models as a product category.

The Part That Made People Really Angry

The backlash might have stayed contained if the story ended at "big silent download." But there is a detail that made it significantly worse. Chrome 147 added a visible "AI Mode" pill to the right of the address bar, right in the most prominent piece of real estate in the browser. A reasonable person, knowing that a 4GB on-device AI model has just been installed on their machine, would assume that this "AI Mode" button uses the local model. That the queries stay on their device. That the whole point of the local model is to power that feature.

That assumption is completely wrong. The "AI Mode" button sends every query to Google's cloud servers for processing. The local Gemini Nano model has no connection to it whatsoever. Users absorb the storage and bandwidth cost of a 4GB local model, while the most visible AI feature in their browser silently ships their typing to Google's servers anyway. That specific contradiction is what turned a privacy complaint into genuine fury.

After the backlash, Google quietly updated Chrome's settings page to remove the phrase "without sending your data to Google servers" from the Gemini Nano description. The company has not explained why that assurance was removed or what changed.

What Google Said, and What It Did Not Say

Chrome's VP Parisa Tabriz responded publicly on X, emphasizing that on-device AI is central to Chrome's security and developer strategy and that Gemini Nano processes data locally rather than sending it to Google's servers. She noted that the model automatically uninstalls when a device runs low on storage. Google separately told press that an opt-out toggle exists in Chrome Settings, and that disabling it prevents re-downloading.

What Tabriz did not address was the consent question itself. Nobody asked why Google used the component update system, a channel users trust for security patches, to deploy a new AI product feature without a disclosure flow. Nobody explained why deleting the file triggers an automatic re-download rather than respecting the user's clearly expressed preference. The response defended the technology while sidestepping the architecture decision that generated the anger.

Privacy lawyers have pointed to potential GDPR exposure in Europe, where silent installation of software that processes data, even locally, may require explicit user consent under Article 7. The California Consumer Privacy Act raises similar questions under US law. Google has not commented on either angle.

How to Actually Stop It

Deleting weights.bin manually does not work. Chrome reinstalls it on the next launch. The proper way to disable it depends on your operating system.

Easiest method (all platforms)

Open Chrome Settings, search for "AI" or navigate to Privacy and Security, find "AI features" or "On-device AI", and disable the toggle. Once disabled, Chrome will not re-download the model.

Windows (registry, permanent policy lock)

Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome
Key:  GenAILocalFoundationalModelSettings
Type: DWORD
Value: 1

Mac / Windows (manual file lock fallback)

Find: [Chrome Profile]/OptGuideOnDeviceModel/weights.bin
Replace weights.bin with a 0-byte file
Then lock the file and parent folder against writing

For enterprise environments, the registry policy approach is the cleanest option since it survives Chrome updates and applies across user profiles. The Settings toggle is sufficient for personal machines. Either way, the default behavior, which is to install and maintain a 4GB model silently, will continue until you explicitly opt out.

The Bigger Picture Here

Chrome holds above 64% of the global browser market and has somewhere between 3.45 and 3.83 billion active users depending on the source. At that scale, even a 10% deployment rate means 350 million machines receiving a 4GB payload that was never requested. The aggregate bandwidth consumption of that single push is enormous. Climate researchers quoted in TechRadar estimated the CO2 equivalent of the rollout at somewhere between 6,000 and 60,000 tonnes depending on assumptions about device mix and network infrastructure.

But the real issue is not storage or bandwidth. It is the precedent. Google just demonstrated that it can use Chrome's trusted update channel to silently deploy new AI product capabilities to a significant fraction of the world's computers, without a consent flow, without a notification, and without a meaningful opt-out until users actively seek one. If that model of deployment becomes normal, the question of what gets pushed next becomes genuinely important. Other browser vendors and software companies are watching how this lands.

This is not a story about a 4GB file. It is a story about who gets to decide what runs on your hardware, and whether "I installed a browser" constitutes consent for everything that browser decides to put there later.

The Nvidia earnings call on May 20 will dominate the news cycle by midweek, and this story will likely fade from the front page. But the regulatory and consent questions it raised are not going away. The EU is already asking questions. The answers, whenever they come, will shape how every major software vendor approaches on-device AI deployment for the next several years.