Google Chrome Reportedly Installs 4GB AI Model Without Clear Opt-In

Your browser may have downloaded an AI model behind your back… and you might never know.

That’s the situation now facing many Google Chrome users, after security researcher Alexander Hanff flagged that the browser is downloading a four-gigabyte AI model onto users’ devices without a clear opt-in prompt.

According to his findings, the model is automatically installed on devices that meet certain requirements, consuming significant storage while remaining largely invisible to users. In many cases, the only telltale signs are increased bandwidth usage or rapidly filled-up disk space.

While the model powers useful features like scam detection and writing assistants, the rollout is drawing scrutiny for how it is delivered. Hanff argues that the lack of clear user consent mirrors patterns often associated with unwanted software, raising questions about the lengths software companies will go to push their products on users.

The overreach that infringes on several laws

The issue begins with how the AI models enter users’ devices.

If a device meets certain hardware requirements, the AI model is snuck in via Chrome’s normal update system, meaning the installation happens quietly in the background rather than as a clearly separated user action. According to Hanff, this installation process takes 14 minutes and 28 seconds end to end.

Once downloaded, the model is stored locally as weights.bn within a Chrome path called OptGuideOnDeviceModel and is used to power on-device AI features. 

While its utility is clear, Hanff’s argument is that users aren’t given a clear, prior opt-in that specifically explains the size, purpose, or impact of the installation. For a company that announces every major Chrome feature update, this is a weird behavior.

That is where the legal and privacy concerns come in.

Hanff argues that this approach may sit uncomfortably with established principles around user consent and transparency in software deployment. And despite helping users process on-device AI tasks, its behavior suggests otherwise. For instance, Hanff claims that although installing it requires no explicit click from users, removing this file is almost impossible, as it reinstalls itself after deletion.

As such, Hanff says such behavior violates the following laws: 

“Article 5(3) of Directive 2002/58/EC (the ePrivacy Directive) [2], a breach of the Article 5(1) GDPR principles of lawfulness, fairness, and transparency [3], a breach of Article 25 GDPR’s data-protection-by-design obligation [3].”

The concern about the model’s delivery is very interesting, given that it comes from the same person who uncovered Claude’s similarly odd behavior.  But this isn’t the most striking part of the behavior. 

An unforeseen linkage to CO2 emissions

Hanff linked this behavior to an unintended consequence that, given the scale of affected Chrome users, significantly outweighs the behavior’s privacy concerns.

Sneaking in a 4GB file that gets reinstalled when deleted on the surface may look like petty behavior; however, Hanff notes that this behavior has consequences for Earth’s climate.

Large-scale software actions still carry a physical cost. In this case, Hanff says that not only is the AI model being added silently, but it is also being pushed to potentially millions of devices. At that scale, the transfer, storage, and usage of the model draws significant energy from data centers, network infrastructure, and end-user devices. 

That energy rollout, which Hanff pegs at 0.06 kWh per GB, is what connects this weird behavior to climate emissions, which he says can range from 6,000 to 60,000 tonnes of CO2 emissions.

Hanff, in his report, calls it “the environmental cost of one company unilaterally deciding that two billion people’s default browser will mass-distribute a 4GB binary they did not request.”

Action steps for both Chrome and its users

Removing this file will always cause Chrome to reinstall it automatically, a persistent behavior observed in advanced malware.

Users can do one of three things:

• Turn off Chrome AI features via chrome://flags
• Use enterprise tools dedicated to removing persistent files (Suitable for enterprises using Chrome).
• Delete the Chrome browser entirely if you are uncomfortable with it until Chrome reverses course.

However, these may not be necessary if Chrome reverts to an opt-in that lets users choose whether to enable it on their computers. As a company with a public posture for ethical AI behavior, if it doesn’t rectify its actions, Hanff says, then, “we will know what the company’s published positions on responsible AI and sustainability are actually worth.”

Also worth reading: Google’s latest AI Search update adds new ways to preview sources before clicking.

The post Google Chrome Reportedly Installs 4GB AI Model Without Clear Opt-In appeared first on eWEEK.