A cybersecurity researcher has found that Google Chrome is now downloading a massive AI model onto users’ computers without asking first. Alexander Hanff, aka That Privacy Guy, discovered that the browser is stashing a 4GB file on machines that meet certain hardware levels. The file, called Gemini Nano, is Google’s attempt to run artificial intelligence directly on your laptop rather than in the cloud.
To prove this wasn’t just a glitch, Hanff ran a controlled test using a brand-new, clean Chrome user profile on an Apple Silicon Mac in April 2026. By checking a macOS kernel log called .fseventsd, which records every file move at the system level, he was able to track the browser’s background activity.
On 24 April 2026, the browser created a folder called OptGuideOnDeviceModel and downloaded a file named weights.bin in just 14 minutes. Most importantly, the profile had no human input during this time; the browser initiated the process on its own while idle.
The Environmental and Legal Impact
According to the researcher, the browser first evaluates the machine’s hardware. If the computer is powerful enough, Chrome starts the background download during idle time. There is a real-world cost to these silent downloads.
While Google says this helps with tasks like scam detection and developer APIs, the way it arrives is a cause of concern. Hanff calculated that if Google manages to get 100 million users to download it, it would consume 24 GWh of electricity. If they reach 30% of Chrome users, which makes up about a billion people, the energy used hits 240 GWh. That is a massive amount of power just to move files people didn’t ask for.
Apart from the environment, there is the legal side. Hanff argues this “silent” installation likely breaks the EU ePrivacy Directive and the GDPR. These laws require companies to be transparent and get consent before storing data on a person’s device.
“This is, in my professional opinion, a direct breach of Article 5(3) of Directive 2002/58/EC (the ePrivacy Directive), a breach of the Article 5(1) GDPR principles of lawfulness, fairness, and transparency, a breach of Article 25 GDPR’s data-protection-by-design obligation, and an environmental harm of a magnitude that would be a notifiable event under the Corporate Sustainability Reporting Directive (CSRD) for any in-scope undertaking,” the researcher wrote in his blog post.
Hanff also mentions a similar issue with Anthropic’s Claude Desktop app, as he found that the Claude app installed a browser integration bridge on several browsers, even those that were not currently installed. These two cases suggest a pattern where tech companies treat user devices as deployment targets.
How to manage the AI model
To see if the model is on your device, you can type chrome://on-device-internals into the address bar. And, to stop the download, check out the toggle Google recently added in the Chrome Settings called Turn On-device AI on or off. You can find this option under the System menu. Or you can visit chrome://flags to manually disable AI features because simply deleting the file is useless, as Chrome will re-download it the moment you relaunch it.
