Google Chrome Silently Downloads 4 GB Gemini Nano AI Model, Raising Privacy, Cost, and Environmental Concerns
What Happened — Chrome automatically downloads a 4 GB Gemini Nano AI model (file weights.bin) into the user’s profile directory when the device meets hardware requirements. The download occurs without any user prompt, and the file is re‑installed if manually deleted.
Why It Matters for TPRM —
- Unauthorised data transfer can breach EU ePrivacy/GDPR rules and expose organisations to regulatory fines.
- The 4 GB download can quickly exhaust metered or limited bandwidth, inflating operational costs for remote or developing‑region workforces.
- Persistent silent installation signals a broader lack of transparency from a critical SaaS provider, increasing supply‑chain risk.
Who Is Affected — Enterprises of any size that rely on Google Chrome on employee devices, especially those with bandwidth caps or strict data‑privacy compliance (e.g., EU‑based finance, healthcare, and public‑sector organisations).
Recommended Actions — Deploy Chrome enterprise policies to disable on‑device AI model download, monitor network traffic for large, unexpected transfers, audit compliance with ePrivacy/GDPR, and consider alternative browsers for high‑risk environments.
Technical Notes — The model is stored as weights.bin in OptGuideOnDeviceModel within the Chrome profile. No CVE is associated; the behavior is a product‑feature decision rather than a vulnerability. Data type: binary AI model (~4 GB). Source: Malwarebytes Labs