Chrome's Silent 4 GB AI Install: The 2026 Gemini Nano Story

Sometime in the last month, Google Chrome wrote a roughly four-gigabyte file onto millions of personal computers without ever asking the people who owned them.

A file that appeared without a dialog

The file is called weights.bin, and it sits inside a folder named OptGuideOnDeviceModel in the user's Chrome profile. On Windows, the full path is %LOCALAPPDATA%\Google\Chrome\User Data\OptGuideOnDeviceModel\weights.bin. On macOS, the same file appears in the equivalent Chrome user-data location, written with file mode 600. There is no consent screen at install time. There is no banner notifying the user that several gigabytes have just left a Google server and landed on their drive. The folder is buried far enough into the user-data tree that anyone who is not already auditing their disk would have no reason to look there.

What weights.bin actually contains is the model weights for Gemini Nano, Google's smallest Gemini model, the one designed to run locally on a user's CPU or GPU rather than in a Google data center. According to Android Authority, which published its explainer on 6 May 2026, the file is between three and four gigabytes depending on platform and version. On 6 May 2026, a Google spokesperson confirmed to Android Authority that the file is the on-device Gemini Nano model used for Chrome AI features, and pointed users to an existing settings toggle and enterprise policy as the supported ways to opt out.

The toggle is real. The toggle began rolling out in February 2026. The complication, as every outlet that picked up the story noted, is that most users never saw a prompt telling them the toggle existed, and never saw a prompt telling them that the download had already happened.

Hanff's fourteen-minute, twenty-eight-second timeline

The reporting that pushed the story out of forum threads and into mainstream technology coverage came from security researcher Alexander Hanff, who writes as "That Privacy Guy." On 4 May 2026, Hanff published a forensic report built around a fresh audit profile he had created on 24 April 2026. The logs he captured are unusually specific.

The OptGuideOnDeviceModel directory was created at 16:38:54 CEST. The download and unpack completed at 16:47:22. The final file was moved into place at 16:53:22. Start to finish, the silent install took fourteen minutes and twenty-eight seconds. The component version Chrome logged was 2025.8.8.1141. On an Apple M1 Ultra test machine, Chrome's eligibility log read "performance_class: 6, vram_mb: 36864."

A fourteen-minute transfer of a four-gigabyte payload is not a background tweak. It is sustained network activity followed by sustained disk activity, and Hanff's timestamps are what make the install difficult to wave off as a routine variations update. He published the audit precisely because the operation left a chronological trail that any administrator could reproduce on a clean profile.

His one-line summary of the behavior is the line that the rest of the coverage picked up: "Chrome did not ask, Chrome does not surface it, and if the user deletes it, Chrome re-downloads it."

Why deleting the file does not work

That last clause is what shifted the framing from "a privacy curiosity" to a transparency story. A user who notices the four-gigabyte weights.bin file and drags it to the trash, or marks it read-only to reclaim disk space, does not get to keep that change. On the next variations-server check, Chrome restores the file. Hanff's documented behavior on Windows is that simply removing the file or marking it read-only is undone on the next sync. The application overrides the user's local decision about their own hardware.

There are two supported escape hatches, both documented in the source pack. The first is the settings toggle that Google began shipping in February 2026, which lets a user disable and remove the on-device model; once disabled, the model no longer downloads or updates. The second, for IT administrators and power users on Windows, is a Group Policy registry value: setting GenAILocalFoundationalModelSettings to 1 under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome blocks the install entirely. Neither escape hatch helps anyone who does not already know the install happened.

Malwarebytes, summarizing Hanff's findings on 6 May 2026, put the disclosure question bluntly: "It does not ask for consent, and sends no notification, not even one of those annoying cookie banners." The phrasing matters because Malwarebytes also went out of its way, alongside Android Authority, PCWorld, gHacks, Pureinfotech, Cyberinsider, Winbuzzer, Android Headlines, and AlternativeTo, to say what weights.bin is not. It is not malware. It is not spyware. It is not exfiltrating browsing history. The model runs locally on the user's CPU or GPU, which means text typed into Chrome features like "Help me write" or page summarization is processed on the device rather than sent to a Google server.

That is, on its own terms, a privacy-positive design. The dispute documented across the May 2026 reporting is not whether on-device inference is a useful idea. The dispute is whether shipping a four-gigabyte model file to a user's drive without an in-product consent step, and silently restoring it after deletion, meets the transparency expectations users have for their browser.

Who got the install, and what it powers

Chrome did not push weights.bin to every machine. The documented hardware eligibility is roughly 16 GB or more of system memory and at least 22 GB of free storage, which scopes the install to mid- and high-end desktops and laptops running recent Chrome builds. The eligibility log on Hanff's M1 Ultra test machine reported a performance class of 6 and 36,864 megabytes of VRAM, well above the floor.

Inside Chrome, the on-device model powers a defined set of features: "Help me write" in textareas, Smart Paste, tab-group AI suggestions, page summaries, and on-device scam detection. Each of those is the kind of small assistive surface a user might activate two or three times a day without ever wondering where the inference is happening. The reach matters because at the time of the report, Google Chrome held over 64 percent of the global desktop browser market. Even with the hardware floor, "eligible Chrome user on capable hardware" is a population measured in the hundreds of millions of devices.

That is the scale gap the May reporting kept circling back to. The feature design is local-first. The deployment was global, silent, and durable.

What this story is actually about

It is worth being precise about the line the coverage is drawing. No outlet in the source pack is arguing that Google is reading anyone's documents through Gemini Nano. No outlet is calling for a regulator to force the file's removal. The reporting is a few days old, no regulator has acted, and the file's local-inference design is, in the abstract, the kind of architecture privacy advocates have asked browser vendors to adopt.

The story is narrower and harder to dismiss. A browser installed on the majority of desktop computers on the planet wrote a four-gigabyte file to user disks, did not surface the install, restored the file when users tried to remove it, and shipped the opt-out toggle three months before most users learned the install had happened. The fix is not technical; the fix is disclosure. A consent dialog, at install time, would have prevented the entire May 2026 news cycle.

The on-device model is still on those disks. The toggle is still in Chrome's settings. The Group Policy value still works on Windows. Whatever a given reader decides about the trade-off, the next click really is the one that matters: keep the file, or open Chrome's settings and turn the feature off.

Sources

• That Privacy Guy: Google Chrome silently installs a 4 GB AI model on your device without consent
• Android Authority: The truth behind Chrome's 4GB weights.bin Gemini Nano file
• Malwarebytes Labs: Google Chrome's silent 4GB AI download problem
• Pureinfotech: Stop Chrome from silently downloading Gemini Nano AI model on Windows 11
• gHacks Tech News: Google Chrome is silently downloading a 4GB Gemini Nano AI model to user devices without consent