On a fresh macOS Chrome profile that had never received a single keystroke, the file appeared anyway. weights.bin, roughly four gigabytes, sitting inside a folder named OptGuideOnDeviceModel. It is the parameters for Gemini Nano, Google's smallest on-device language model. Privacy researcher Alexander Hanff published the forensic walkthrough on May 4, 2026; the file had arrived through Chrome's update channel with no consent dialog and reinstalled itself when deleted.

A researcher built a clean room and Chrome filled it

Hanff set up his audit on Apple Silicon and used the operating system's own filesystem event logger to trace the install end to end. The Chrome profile was new, never typed into, never used. On that profile, macOS recorded Chrome creating temporary unpacking directories, downloading model components, and finally writing the multi-gigabyte weights.bin into local storage. The evidence chain ran in the operating system's logs, not in any Chrome surface the user would have seen.

Coverage spread quickly after the post. Snopes found the model on some staff machines but not others. Decrypt walked readers through where the file lives and how to remove it. Malwarebytes documented the redownload behavior on machines whose owners had cleaned out the OptGuideOnDeviceModel folder by hand.

The model does something. The question is whether it was offered.

Gemini Nano is real and the local inference is real. Google's statement to Tom's Guide called it a "lightweight, on-device model" that "powers important security capabilities like scam detection and developer APIs without sending your data to the cloud." The model has been available in Chrome since 2024, supporting features such as on-device scam detection and the Help me write feature.

The trade-off is the textbook case for on-device AI: inference stays on the machine, prompts and context do not travel to a server, the user gets the analysis without paying in data. This is the architecture privacy advocates have been asking for. It is also the architecture that, in Hanff's account, walked into people's machines without permission.

February's toggle was already shipping when the disclosure landed

The detail that complicates the timeline: Google's fix was not retroactive. According to the company's statement, it had begun rolling out a setting to disable on-device AI and remove the downloaded model in February 2026, months before Hanff's May write-up. The setting lives in Chrome under Settings, System; once disabled, Google told reporters, "the model will no longer download or update." Users who do not yet see the toggle can flip flags such as Optimization Guide On Device Model in chrome://flags and delete the OptGuideOnDeviceModel folder manually.

So the company had identified the same control problem and shipped a fix months ahead of the news cycle. What the disclosure forced was a different question: why the fix had not been the default at install.

A consent argument, not a regulator's ruling

Hanff frames the silent download as a likely violation of Article 5(3) of the EU ePrivacy Directive, which requires user consent before storing information or accessing information already stored on a subscriber's terminal equipment, with narrow exceptions for transmission or for services the user has "explicitly requested." He extends the argument to the GDPR. No regulator has acted, and no court has ruled. Both points have to be stated together: the legal theory exists, the legal verdict does not.

The environmental claim is more concrete. Hanff estimates that pushing a 4GB file to hundreds of millions of devices represents several exabytes of traffic, and at one billion devices that translates to roughly 6,000 to 60,000 metric tons of CO2-equivalent emissions before any inference is run. The range is wide because the install base is uncertain. Google has not disclosed how many devices received the file.

Why it matters

On-device AI was supposed to be the private answer. The argument was clean: if the model runs on your machine, your prompts and your context never leave it. That trade-off still holds. What changed in this story is what comes before inference.

Model weights are not a small payload. A multi-gigabyte file is a new kind of transfer, and a software update that pushes it without a separate dialog is a new kind of decision. The user paid for the disk space and picked the browser. They did not, in the strict sense Hanff is testing if a regulator follows him there, choose to receive a foundation model on their hardware.

Browsers ship updates constantly. Codecs, security patches, certificate authority bundles, fonts. The category question is whether AI model weights belong in the same bucket. They are larger than any normal Chrome update by an order of magnitude. The file changes what the local software is capable of doing, and in this case it reappeared when removed.

If the next privacy-preserving feature requires gigabytes of model weights to arrive before it can run, which is the moment a user should get to refuse?

Originally published as an Instagram carousel on @recul.ai.