Chrome downloads a 4GB AI file without user consent, researcher alleges

By Nathan Ingraham
Google Chrome's log-in screen. Photo by Zulfugar Karimov on Unsplash

If you've paid any attention to Google lately, you know that it wants us using its AI tools. So much so that Chrome apparently downloads a 4GB file containing details for running Gemini Nano, Google's on-device LLM. Computer scientist Alexander Hanff published the details earlier this week on his website The Privacy Guy and goes into extreme detail on why this isn't a good look for Google.

I just verified what he said about the file, named "weights.bin" and found it in the Chrome folder in the macOS Library directory (which is ordinarily hidden so that users don't mess with potentially critical files). Indeed, it's a 4+ GB file right where he said it would be. Hanff correctly notes that at no point does Chrome prompt users to ask if they'd like to install the Gemini Nano weights, which Chrome users for AI-powered features like "help me write" and on-device scam detection.

It's worth noting that on a second Mac I checked, the weights.bin file was not installed, nor was it found on a coworker's laptop. Shortly after updating Chrome to version 148.0.7778.97 on my personal laptop, the directory and file appeared. And when I deleted the directory containing the file on the first computer I checked, the large weights.bin file returned several minutes later.

Hanff wrote that he saw similar behavior across multiple Windows installations, as well. "The user deletes, Chrome re-downloads, the user deletes again, Chrome re-downloads again. The only ways to make the deletion stick are to disable Chrome's AI features through chrome://flags or enterprise policy tooling that home users do not generally have, or to uninstall Chrome entirely."

As Hanff notes, there are numerous issues with this behavior. It's an invisible download that the user isn't privy to and there's no opt-in, nor is it easy to remove. It's also deeply hidden in directories most users don't check, with a generic name that doesn't give any real information on what it is for.

Additional issues that Hanff calls out includes that this may violate European privacy laws, including GDPR. There's also the potentially large environmental cost. Hanff estimates that a "mid-band" deployment of this 4GB file would hit 500 million devices, or about 15 percent of Chrome users. That push would result in rough 30,000 tonnes of CO2e — the annual emissions of 6,500 cars. He also notes that this is only the initial delivery cost and that plenty of additional factors would make for a higher energy cost.

We reached out to Google for comment but did not receive a response before publication. We'll update this story if we hear back.

Recommended