Not in the Brief ■ Episode 01
Open chrome://on-device-internals in a new tab.
If your machine qualifies, you will see a multi-gigabyte
language model that Chrome has downloaded onto your disk,
listed with a version number and a file size. Any website
you visit can call this model through an API in JavaScript.
There is no permission prompt. There never was.
This is the first episode of Not in the Brief: a series on the documented mechanics of software that has been added to your machine without you being asked. We start with the largest target available, because the change is hidden in plain sight, and because almost everyone is affected.
What Is Built In
Chrome ships seven on-device AI APIs, all backed by a foundation model called Gemini Nano. Gemini Nano runs locally; the inference does not leave the machine. The APIs, in order of relevance, are:
- LanguageModel: the Prompt API. Free-form text in, text out.
- Summarizer: text summarisation.
- Translator: language translation between supported pairs.
- Writer: short-form generative writing.
- Rewriter: text rewriting and tone change.
- Proofreader: grammar and style correction.
- LanguageDetector: language identification.
Generally available for extensions since Chrome 138 (May 2025). For ordinary web pages, the APIs are in Origin Trial and behind a feature flag for end users; in practice, this means a website needs an Origin Trial token, and the browser must have the model loaded. The trial route does not require user consent at the page level either.
How It Got On Your Machine
Announced at Google I/O in May 2024. The decision logic Chrome applies today, as documented by Google's own developer pages, is the following.
When the user starts Chrome on a qualifying device, the browser checks four things in the background: more than 4 GB of VRAM available, at least 16 GB of system RAM, at least 22 GB of free space on the volume holding the Chrome profile, and a supported operating system (Windows 10 or 11, macOS 13 or later, Linux, or ChromeOS on a Plus device). On mobile Chrome the entire feature is unavailable, so phones are out. Desktops, laptops and Chromebook Plus devices are in.
When all four conditions hold and any local activity (a relevant page, an extension, an Origin Trial token) triggers the API, Chrome downloads Gemini Nano in the background, on an unmetered connection. There is no installation prompt. No "Chrome would like to download a 2 GB model" dialog. The model arrives, lives on disk, and updates itself.
If the free disk space later drops below 10 GB, Chrome removes the model. If the eligibility criteria are not met for 30 days, the model is purged. Both removals happen without user interaction; both reinstall when the conditions return.
How A Website Talks To The Model
The API surface is straightforward. A web page in JavaScript writes:
const session = await LanguageModel.create();
const reply = await session.prompt("Summarise this page.");If the model is available, a session is returned and the
page can call session.prompt("...") to get
text back. There is no permission dialog at any point in
this exchange. The same code, in 2018, would have produced
a navigator.mediaDevices.getUserMedia() call
for the microphone or camera, and would have triggered a
browser-level prompt asking the user. The Prompt API does
not.
The cross-origin story is partial. A top-level page on
example.com can call the API. A same-origin
iframe can call it. A cross-origin iframe (an embedded ad,
an embedded widget) needs the parent page to set the
allow="language-model" attribute on the
iframe. This is the only permission boundary in the
architecture, and it lives between iframes, not between
site and user.
The capability probe
LanguageModel.availability() returns one of
three values: 'available',
'downloading', or 'unavailable'.
Any page that calls this method learns whether the visitor
is on a model-capable device. This is a hardware-class
probe without a permission prompt, in a browser whose
Privacy
Sandbox was discontinued in April 2025 and whose own
advertising
policy explicitly permits digital fingerprinting since
February 2025. It is one further entry in a list of
more than thirty active fingerprinting vectors active in
production Chrome today.
There is no rate limit on the website's calls. There is no per-origin token quota. The compute cost is paid by the user's CPU, GPU and battery; the website pays nothing.
Why The Permission Prompt Is The Story
Browsers express their security policy through their dialogs. Geolocation needs one. Microphone, camera, screen capture, notifications, clipboard, USB, MIDI, Bluetooth: all need them. Local language-model inference does not. That is not a small detail. It is an architectural statement: this feature is classified, by Chrome, as belonging to the standard platform, not to the privileged plate. It sits next to the JavaScript engine, not next to the camera.
A reasonable user reading the brief would expect to be asked about a feature that uses several gigabytes of disk, runs on the user's GPU, and consumes battery whenever a website calls it. The user is not asked. The brief did not specify this, the user accepted it by accepting Chrome.
What This Means For Risk
Three risk lines are real, and they should be named without panic.
Fingerprinting and tracking.
LanguageModel.availability() is a
fingerprinting input. Combined with the canvas, font,
audio, language, GPU and timing vectors that are
already
in production use across roughly thirteen per cent of the
top 20,000 websites (per a 2025 ACM study), the
addition of a model-availability probe contributes to a
higher-entropy fingerprint. In a browser without Privacy
Sandbox and with explicit policy permission for
fingerprinting, this is a measurable degradation.
Indirect prompt injection. Web content goes into the model. Model output goes back into web UIs. A page that includes a hidden instruction in user-readable text can attempt to coerce the model into producing output that influences subsequent actions. OWASP found indirect prompt injection in 73 per cent of production AI deployments it audited in 2024. Google has responded with a five-layer defence and a separate "User Alignment Critic" model that watches the agentic Gemini sidebar; that response is itself a recognition that the threat class is severe. The on-device Prompt API does not face the agentic-action surface, but a website that uses it to summarise web content for the user is one prompt-injection layer away from inserting whatever the attacker has inserted into the displayed result.
Hijack and privilege boundaries. CVE-2026-0628, disclosed in early January 2026 and fixed by Google in mid-January, allowed Chrome extensions with basic permissions to hijack the Gemini Live panel and inherit camera, microphone and file-access privileges through the panel's surface. The panel is not the same component as the Prompt API, but the disclosure shows that the boundary between the AI surfaces in Chrome and the rest of the browser's privilege system has been crossed at least once.
These are not theoretical risks. They are documented in Chrome's own security advisories, in OWASP's annual report, and in disclosures by Palo Alto's Unit 42, Malwarebytes and SecurityWeek.
How To See It On Your Own Machine
Three tabs, one policy. Five minutes.
chrome://on-device-internals.
The model status, version, file size and update history.
If the page shows a Gemini Nano entry with a version
number and a size, the model is on your disk and ready to
be called.
chrome://flags/#optimization-guide-on-device-model.
Set this to Disabled. Relaunch Chrome. The model will
not be downloaded; if it has already been downloaded, it
will be removed.
chrome://flags/#prompt-api-for-gemini-nano.
Set this to Disabled. Relaunch. The web-page API surface
is gone; pages calling LanguageModel.create()
will fail with 'unavailable'.
Enterprise policy. On Windows, set the
registry value
HKLM\SOFTWARE\Policies\Google\Chrome\GenAILocalFoundationalModelSettings = 1
(DWORD). On macOS and Linux there are equivalent profile
keys. Chrome will respect this and the model will not
return through future updates.
DevTools. Open a tab on any site, open
DevTools, switch to the Network panel, and filter for
optimizationguide-pa.googleapis.com. This is
the model and configuration update server. You will see
traffic when Chrome checks for or pulls model updates.
The Pattern Is Not Chrome-Only
This is a series, and Chrome is the first episode because it is the largest. The same pattern is in other browsers, each in its own form.
- Microsoft Edge ships a Copilot Sidebar that is enabled by default for many users; the toggle lives at
edge://settings/copilot. - Brave Browser ships Leo AI built in, with a cloud-mode toggle in Settings → Leo.
- Firefox added an AI Chat sidebar with a configurable provider in
about:preferences#general→ AI Chatbot. - Arc ships AI features in Settings → AI; the project is now under The Browser Company.
- Apple Safari integrates Apple Intelligence on supported macOS and iOS versions, configured under System Settings → Apple Intelligence.
The architecture varies. The pattern is the same: an AI feature added by default, exposed to web pages or to the user, with the awareness path tucked into a Settings page that few users will visit unprompted. We will take each of these in turn over the coming episodes, and the awareness path for each.
What To Take Home
If your browser ships an API without a permission prompt, the browser has stated where that API stands. It is treating the feature like part of the standard platform: not a privileged surface that needs explicit user consent, but a default capability of the runtime.
That is not an argument against Chrome's built-in AI. It is an argument for knowing it is there. The feature is real. The performance is genuinely good. The local-model architecture is, in some respects, more privacy-respecting than a cloud round-trip would have been. The quarrel is not with the existence of the feature. It is with the silence of its arrival, and with the dialog that the browser used to show and now does not.
The browser used to ask about the camera. It does not ask about the model. The line moved. The dialog did not.
If you have not looked, you do not know what is on. The looking is not difficult. It just has to start.
Chrome ships seven on-device AI APIs (LanguageModel, Summarizer, Translator, Writer, Rewriter, Proofreader, LanguageDetector) backed by Gemini Nano. Generally available for extensions since Chrome 138 (May 2025); Origin Trial for web pages. Hardware bar: >4 GB VRAM, 16 GB RAM, 22 GB free disk, supported OS. No permission prompt at any point. Capability probe
LanguageModel.availability()exposes hardware class to any caller. Privacy Sandbox retired April 2025; Google ad policy permits fingerprinting since February 2025; CVE-2026-0628 fixed January 2026. Three tabs reveal the model; one Enterprise registry value disables it. Same pattern in Edge, Brave, Firefox, Arc, Safari.