Chrome automatically downloads 4GB AI model file without user consent, researcher alleges
Computer scientist Alexander Hanff claims the behaviour violates European privacy laws and incurs significant environmental costs, though Google has not yet responded to the claims
Google Chrome is reportedly downloading a 4GB file containing Gemini Nano AI model weights without explicit user opt-in, according to an investigation by researcher Alexander Hanff. The file, identified as "weights.bin", is allegedly installed automatically on devices running Chrome version 148.0.7778.97, facilitating on-device features such as "help me write" and scam detection without prompting the user for permission.
Hanff verified the presence of the file across multiple devices, including personal Macs, a second Mac, a coworker's laptop, and various Windows installations. The file is located within the macOS Library directory, a location typically hidden from standard user views to prevent accidental modification of critical system files. This concealment means the average user is unaware that such a substantial data transfer is occurring on their machine.
The automatic nature of the download was confirmed when Hanff deleted the directory containing the file on his primary computer. Despite the deletion, the weights.bin file reappeared several minutes later. The researcher noted that the only methods to prevent this behaviour were disabling specific AI features via the chrome://flags menu or applying enterprise policy settings, neither of which are generally accessible to home users.
While the issue was observed on several devices, Hanff noted that the file was not present on every system tested, suggesting the behaviour may depend on specific user configurations or settings not immediately visible to the average operator. This inconsistency raises questions regarding the precise scope of the issue across different operating systems and user environments.
Beyond the privacy implications, Hanff highlights the potential environmental impact of this automatic deployment. He estimates that a mid-band rollout involving 500 million devices could result in approximately 30,000 tonnes of CO2e emissions annually. This figure represents the annual emissions of roughly 6,500 cars and accounts only for the initial delivery costs, with additional energy consumption likely driving the total impact higher.
The allegations suggest a potential breach of European privacy regulations, including the GDPR, due to the lack of informed consent. Google has not yet issued a public response to inquiries regarding these findings. Linxi News has reached out to the company for comment and will update this report if an official statement is received.
