Open ~/Library/Application Support/Google/Chrome/OptGuideOnDeviceModel/ or the equivalent path on your OS. You’ll find a roughly 4GB language model, a.k.a. Gemini Nano, called weights.bin. Delete it while Chrome’s AI features are still on and Chrome puts it back by morning. Many of Chrome’s billions of users have it, running at their own disk and electricity cost. Not a single one asked for it.

If you’ve followed the coverage since last week, you know the reaction: outrage that nobody asked permission to install an on-device LLM. It felt familiar. Apple did this in 2014, when they force-pushed U2’s Songs of Innocence to half a billion iTunes accounts, prompting Tyler the Creator to tweet GET OFF MY F*CKING PHONE. Six days later, Apple shipped a one-click remove button. Twelve years on, the file is 40 times bigger, the artist is Gemini Nano, and the remove button never came.

Privacy researcher Alexander Hanff caught the install by running a script that visited a hundred pages on a fresh Chrome profile while watching the kernel filesystem logs. No human touched the machine; the file appeared on its own. Snopes reproduced the behavior on three of six employee laptops. A 2024 Hugging Face upload showed that an older weights.bin, extracted from Chrome Canary 128, was runnable through MediaPipe, Google’s on-device ML runtime. At least one Chrome-delivered model has been verified, on a stranger’s machine, as real and locally usable. The model is here.

The local model powers Chrome’s built-in AI APIs: Summarizer, Translator, and Language Detector are stable from Chrome 138; the Prompt API is stable for Chrome Extensions, with broader web-page access still gated through trials. It also runs the on-device pass of Chrome’s scam-detection pipeline (which still ships summary signals to Safe Browsing once it flags something).

Google’s servers run the rest. Help Me Write sends your text, the content, and the URL of the page you’re writing on. Enhanced Autofill may send the URL and page content. AI Mode, the pill Google began rolling into Chrome’s address bar in 2025, sends every query to a much larger custom Gemini in the cloud.

The local model handles what developers call from JavaScript and what the security stack does behind the scenes. The cloud handles what users actually see and click.

Until last week, the on-device-AI settings page promised that the model runs “directly on your device without sending your data to Google servers.” Reporters caught the line’s quiet removal around the Chrome 148 rollout in May. Google told them the architecture hadn’t changed, only the wording. Fair enough. But the architecture was always the problem. The features that actually invoke the local model are not the features users see. The features users see route to Google.

Enter the era of local-washing

Maybe we should call this local-washing — a narrow on-device feature laundering privacy credit across the AI surface the user actually touches. Not a conspiracy, just a missed opportunity. The model is here. The visible surface is there. The keys are in Chrome’s pocket — and Chrome won’t be the last to keep them there. Every vendor shipping on-device AI will face the same gap, including the ones building in good faith. Once “on-device” means whatever a vendor’s marketing team needs it to mean, you can’t recover what it was supposed to mean.

(Aside: I spent last Saturday building a bridge — a small Node server that spawns a headless Chrome, hosts Gemini Nano via the Prompt API in a hidden page, and exposes the whole thing as an OpenAI-compatible endpoint on localhost. The walkthrough is in a thread on X — and while you’re there, @raffihack is where more of this kind of weekend nerdery lives. The bridge isn’t the point. The point is that the wiring is doable from outside the platform on a weekend afternoon, which means every platform has to choose whether to ship the architecture honestly or wait for the community to finish it for them.)

Open infrastructure has always come together this way: the closed platform ships half the architecture, and the open community ships the half that hands ownership to the user. Linux didn’t happen because Unix vendors gave up; it happened because companies whose P&L depended on a portable, open kernel — IBM, Red Hat, Intel, eventually Google — put paid engineering behind finishing the wiring. Firefox came up against an Internet Explorer that had recently peaked north of 90% market share, with Mozilla funding the engineering.

There’s also a cost question. Cloud bears the compute; on-device moves it to your machine’s disk, battery, electricity, and warms your lap. Mozilla has flagged the tradeoff in the standards process. (Disclosure: I’m CTO there.) Hanff also runs the carbon math on the rollout itself — between 6,000 and 60,000 tons of CO2-equivalent depending on coverage, an externality that doesn’t show up on Chrome’s release notes.

Hanff goes further on the legal side. As a lawyer, he sees, the push breaching four things simultaneously: Article 5(3) of the ePrivacy Directive (the storage-and-access consent rule), Article 5(1) GDPR’s principles of lawfulness, fairness, and transparency, Article 25 GDPR’s data-protection-by-design obligation, and the Corporate Sustainability Reporting Directive, in which an environmental impact of this magnitude would constitute a material disclosure for any in-scope undertaking. I’m not a lawyer, but I can tell that the cite list is specific enough that any in-house counsel watching a vendor stage a similar push should be reading it carefully.

Leave a comment

Three questions worth keeping for the next on-device claim that crosses your desk

If you’re shipping on-device AI, three things to get right:

• Be honest about the price of local. Local AI on capable hardware is the right architecture for anything that touches private data. Disk, battery, and a warm lap are the cost. Name them next to the benefit, not in a footnote nobody reads;

• Wire your visible features to the local model. Not just the developer APIs or the security stack — the things your users actually click. If your marketing implies wider scope than what your visible features deliver, you’re shipping half the architecture; and

• Ship the map, not just the consent box. Users in 2026 don’t need permission-to-install dialogs — they need to know which of your features run where. “AI Mode” should mean something specific. “On-device” should mean something specific. Put the map on the surface, in a sentence, without making users dig through release notes.

Cloud was rented inference: someone else’s compute, someone else’s model, your prompts on the wire. On-device done right flips every one of those — your hardware, your model, your prompts staying on your machine, the keys in your pocket. What Chrome shipped is the building without the keys. You hold the deed; the platform owns the lock.