There is a decent chance a 4GB AI model is sitting on your computer right now—one you never agreed to install.
The file is called weights.bin, buried inside a folder named OptGuideOnDeviceModel within Chrome's user data directory. It contains the weight file for Gemini Nano, Google's on-device language model. Delete it, and Chrome simply downloads it again.
Privacy researcher Alexander Hanff uncovered the behavior while running an automated audit on a fresh Chrome profile. Using macOS kernel filesystem logs, he traced Chrome creating a temporary directory, pulling down model components, and placing the finished file on disk. The entire process took roughly 15 minutes—with no notification, no prompt, and zero human input at any point during the profile's existence.
The same pattern has since been confirmed on Windows 11, Apple Silicon Macs, and Ubuntu. Users who have been experiencing unexplained storage spikes for more than a year now have a name for the culprit.
What the Model Actually Does
Gemini Nano powers Chrome's on-device AI features, including tools like "Help me write an email," scam detection, smart paste, page summarization, and AI-assisted tab grouping.
On Windows, the file lands at %LOCALAPPDATA%\Google\Chrome\User Data\OptGuideOnDeviceModel\weights.bin. On Mac and Linux, it resides in the equivalent Chrome profile directory. Deleting the folder provides no permanent relief.
Chrome recently added a prominent "AI Mode" pill button in the address bar. A reasonable user seeing that button—with a 4GB local model already on their disk—would likely assume their queries stay on-device. They don't. AI Mode routes every query to Google's cloud servers. The local Gemini Nano model does not power it at all. In effect, users are paying the storage and bandwidth cost for a feature they are not actually using privately.
Is It Legal?
Hanff argues Google is violating EU privacy law. His case centers on Article 5(3) of the ePrivacy Directive—the same clause behind cookie consent banners—which requires "prior, freely-given, specific, informed, and unambiguous consent" before storing anything on a user's device. He also cites GDPR Articles 5(1) and 25, covering transparency and privacy by design.
Hanff drew a direct parallel to a case he published two weeks earlier: Anthropic's Claude Desktop had silently pre-authorized browser automation across roughly three million user machines without explicit consent. He argued it was the same pattern, though at a much smaller scale.
Google, for its part, has been quietly including Gemini Nano in Chrome for some time—most users simply didn't notice.
"To provide an enhanced browser experience, Chrome uses on-device AI models to help power web and browser features," Google states in its support documentation. "Chrome may download on-device Generative AI models in the background, so features that rely on these on-device models stay ready for use. If you delete on-device AI models, only features that rely on them will be unavailable."
"In February, we began rolling out the ability for users to easily turn off and remove the model directly in Chrome settings. Once disabled, the model will no longer download or update," the company told one technology publication.
Google also noted that the model auto-deletes if storage runs low. What the company did not address, however, is why users were not asked for their consent in the first place.
Notably, Google's own Chrome developer documentation advises third-party developers that it is "best practice to alert the user to the time required to perform these downloads." In this instance, Google did not follow its own guidance.
Why it matters
The discrepancy between where the model sits (on-device) and where AI Mode queries actually go (Google's cloud) means users who assume local processing offers privacy protection are mistaken—the storage cost is local, but the data exposure is not.
Google's own Chrome developer documentation recommends that third-party developers notify users before large background downloads; the fact that Google did not apply that standard to its own model download creates a notable internal inconsistency that regulators could cite.
Article 5(3) of the EU ePrivacy Directive has historically been enforced through cookie consent requirements; applying it to silently downloaded AI model weights would significantly broaden its scope beyond cookies and tracking scripts.
