Why Cybersecurity Pros Are Worried About Chrome's New AI

Ajouté : 2026-05-09

[00:00:01]How much do you trust Big Tech?

[00:00:03]How much do you trust Google? Some of you maybe don't trust them at all.

[00:00:08]There's obviously reasons for that. I can totally see that. But let's talk about Google. Let's talk about Google Chrome and what's going on and what you need to know about as a user of Google Chrome.

[00:00:20]All right. So, Guy finds Google Chrome is quietly installing a 4 GB AI model on our devices.

[00:00:32]Hanif said on his blog he's discovered that Chrome is reaching into users' machines and writing a 4 GB on-device AI model file to disk without asking.

[00:00:43]That doesn't sound great.

[00:00:46]File name weights.bin and it lives in opt guide on-device model. Essentially, it's the weights for Gemini Nano, Google's on-device large language model. Moreover, the file appeared with no consent prompt, Hanif said.

[00:01:04]There's no checkbox in Google Chrome settings labeled download a 4 GB AI model.

[00:01:10]The download triggers when Chrome's AI features are active.

[00:01:15]And of course, those features are active by default in recent Chrome versions.

[00:01:23]So, that's concerning, right? When when something just uh you kind of opt in, but you don't kind of opt in and it just downloads an additional file, additional capability.

[00:01:38]Um yeah, that's I don't know. That's that's kind of concerning.

[00:01:43]>> [laughter] >> Like, what do you think? You think that's okay for uh for you to opt into a service and then get additional things downloaded that maybe you weren't aware of?

[00:01:54]Um I'd be interested to hear everybody's thoughts on that. Uh we'll we'll talk about kind of what that reminds me of. Um Or I guess we can talk about it now. So, if you've ever seen the uh the show it's called Silicon Valley and uh I believe it was on HBO, I want to say. But essentially it's about a startup founder and the kind of incubator that he lives in and all his friends and their ability to create this whole uh starts out as a compression algorithm and then it kind of evolves into this thing where they are essentially doing the same thing where they're installing something on a on a phone and then in the background they're doing things for uh a decentralized internet. I don't want to spoil the show cuz the show is awesome. It's very interesting, very entertaining. It's on Netflix right now uh or not Netflix, it's on at least Apple TV, but definitely check that show out if you've never seen it.

[00:02:59]It is It's a great show. But there's a lot of uh realities of Silicon Valley and Big Tech in that show and startup life and yeah, it's it's got a lot of truths to it for sure. But uh it definitely reminds me of that if you've never seen that show.

[00:03:18]Let's go back to the article here.

[00:03:19]Computer scientists calculated that the total install time from directory creation to final move is only 14 minutes and 28 seconds. Obviously, that probably depends on internet speed and computer speed and all that stuff. Human user doesn't need to do anything and only finds about the download months later when their disk fills up. Well, that's obviously alarming.

[00:03:40]Classically, while adding the file takes zero clicks, removing it requires multiple steps, none of which are documented or even hinted at in Chrome, Hanef points out.

[00:03:51]So, obviously, that is alarming that it's getting installed just in general without any kind of awareness of that from the user, but then also, almost in malware fashion, in order to actually get rid of the thing, you've got to go through way more hurdles than to actually get the thing in the first place.

[00:04:13]So, that's always alarming just when companies add roadblocks to essentially get rid of something when it's legitimate or when it's not legitimate.

[00:04:24]Right? We expect that when it's not legitimate, but if you're actually just installing software that you want to have, so Google Chrome, and you're making it way more difficult to remove these unwanted files that you're not even aware of in the first place, well, that's I don't know. That seems kind of shady to me.

[00:04:43]>> [laughter] >> Who am I? I'm just the guy, right? But but that seems uh you know, seems not great. Especially in the enterprise, if you're allowing Google Chrome, right? That becomes another scenario, especially for a lot of my audience who are is working in cybersecurity, working in IT, working in tech, you're allowing Google Chrome, maybe you're allowing the AI capabilities, and then all of a sudden Google is kind of abusing that and taking that a step further. Certainly uh certainly concerning here.

[00:05:18]Uh a couple weeks ago Hanav said that Anthropic was secretly installing what he called spyware on users who were installing Claude desktop, accusing the AI company of directly breaching the EU's privacy e-privacy directive, as well as multitude of computer access and misuse laws. So, if you're not familiar in Europe, they definitely have a lot of privacy and um just restrictions around those kind of things. So, we see big tech getting in trouble a lot in those other countries because they they they do these things that maybe they can get away with like in the United States for example or other countries, but then because of how strict the EU is with privacy and computer access, data sovereignty, all those things, we see them often get in trouble there especially first. Um maybe not just there, but we definitely see that tend to pop up very frequently in those in those regions in those countries.

[00:06:17]But there's more simply because the Google Chrome browser is so much more popular than any Cloud application at least for now. Yeah, so and that's the other thing too, right? We're talking about even just like malicious threat actors, they go after popular things.

[00:06:31]What's most popular? We talked about things like certificate authorities, going after kind of the source that has a lot of reach to a lot of different areas, a lot of customers and users, countries, companies, whatever the case is.

[00:06:47]Obviously not everybody's using Cloud, but a lot of people are using Chrome.

[00:06:51]Way more are using Chrome than using Cloud.

[00:06:55]So certainly certainly larger scale concern just because of the possible reach.

[00:07:02]And it's like let's just say it's a legitimate kind of thing. Like let's not even take this whole idea of installing it without notifying somebody.

[00:07:11]Let's say that that gets compromised in some way or some vulnerability or something that somebody can take advantage of. Now not only have you forcibly installed something on somebody's end device, now you have something that's vulnerable, and so you have literally introduced vulnerabilities and concerns beyond just that initial initial thing with these other devices. So there's a lot of let's say ethical things that are uh that are kind of in flux here. Um and I guess that depends on what your view of, you know, being ethical and having morals and all those things uh what that kind of means to you because certainly that is subjective and varies.

[00:07:58]But uh I'd say, you know, that it's probably generally not going to be an ethical thing, right? Doing thing with doing things without consent is definitely not uh not deemed uh ethical or moral in any kind of normal circumstance or normal kind of environment.

[00:08:21]So, um that that's all that the article covers in there, but I'll leave the I'll leave the link in the description to this article. So, if you want to look at this more, uh again, certainly this is concerning.

[00:08:37]It doesn't matter this Google, but certainly because it's Google, Google is more widespread, Google Chrome is you know, I don't know exactly offhand what the market share is for Google Chrome and downloads, but a lot of people use it.

[00:08:52]And so, that idea alone makes it even more concerning. So, I hope that you've got something out of this article.

[00:09:00]Definitely check the article out. Let me know your thoughts in the comments. I'm curious what you're thinking about this in relation to Google, Google Chrome, or just in general the idea of a legitimate company being able to in the background add additional files, add additional capabilities, features, things going on in the background that you're not aware of as an end user, and what your thoughts are for that, for your personal use, for the enterprise use. Uh there's a lot of different areas that we can kind of dive into here. So, let me know in the comments.

[00:09:37]With that being saying. We'll go ahead and wrap this one up. Hope you enjoyed it and I'll see you in the next one. See you later.