It is astonishing that the word “privacy” appears zero times in this announcemen...

janalsncm · 2025-09-18T19:00:37 1758222037

You are right about the omnibox changes.

But the security enhancements appear to be using Gemini nano which can run on device. They kind of buried that detail though.

https://store.google.com/intl/en/ideas/articles/gemini-nano-...

simonw · 2025-09-18T19:50:27 1758225027

Yikes! Given the inherent threat of prompt injection, using the weakest available version of Gemini seems like a particularly bad idea.

Not that even the strongest models are 100% effective at spotting prompt injection attacks, but they have way more of a fighting chance than Gemini nano does.

tadfisher · 2025-09-18T20:03:36 1758225816

You could contort the threat model such that prompt injection is something to worry about with a local model operating on local data and serving local results, sure.

BryantD · 2025-09-18T20:59:06 1758229146

I think the "local results" assumption is not completely accurate. This line: "You tell Gemini in Chrome what you want to get done, and it acts on web pages on your behalf, while you focus on other things" implies that the local agent will perform in-browser actions, which in theory enables data exfiltration.

tadfisher · 2025-09-18T21:49:52 1758232192

This iteration of Gemini doesn't perform in-browser actions, but they did announce they'll ship an agent later.

BryantD · 2025-09-18T22:17:20 1758233840

Yes. I agree that many of the announced and currently shipping features should be just fine from a security perspective with only a local agent.

simonw · 2025-09-18T23:34:53 1758238493

Running an LLM locally makes no difference at all to the threat of malicious instructions that make it into the model causing unwanted actions or exfiltrating data.

If anything a local LLM is more likely to have those problems because it's not as capable at detecting malicious tricks as a larger model.

tadfisher · 2025-09-19T00:54:52 1758243292

This is the MCP problem, essentially, and the solution is the same: the user should review and approve specific actions before they are taken.

Of course there will probably be a setting to auto-approve everything...

gruez · 2025-09-18T23:00:27 1758236427

what if there's a prompt injection in some random web page that you visited?

senordevnyc · 2025-09-18T20:09:12 1758226152

Hopefully they have it just returning a simple boolean result for whether page is suspicious, and no tool calling.

janalsncm · 2025-09-18T21:20:09 1758230409

If I had a tool which could determine whether a page was suspicious, why would I need an LLM to call it?

janalsncm · 2025-09-18T21:29:09 1758230949

No system is 100% foolproof. If the baseline is “all malicious content gets through” and this method reduces it by 95% but that last 5% is using some sophisticated prompt injection, that’s not a “yikes” that’s a major win.

At a technical level the risk isn’t from the size of the model but the fact that it is open weight and anyone can use it to create an adversarial payload.

simonw · 2025-09-18T21:51:50 1758232310

I disagree. In software security 95% is not a win - it's an invitation for users to trust a system that they shouldn't be trusting.

wrs · 2025-09-18T19:51:12 1758225072

What’s really bugging me is they didn’t think it was interesting to even touch on that point in the big announcement. Contrast Apple making a big deal about private cloud compute before it even really does anything.

M4v3R · 2025-09-18T19:16:37 1758222997

Yeah it’s insane they’ve totally ignored the privacy issue. Either they’re doing everything on device, which I doubt, or this is the biggest privacy disaster ever waiting to happen.

niutech · 2025-09-24T13:23:48 1758720228

For privacy, you should use open-source Nanobrowser with a local LLM instead.

nashashmi · 2025-09-18T19:29:16 1758223756

Privacy is dead for a company that cares to join the trillion dollar club where data is the new oil.

Long live private ecosystems

reaperducer · 2025-09-19T14:22:55 1758291775

It is astonishing that the word “privacy” appears zero times in this announcement. There have been repeated controversies over exactly how Google sees just the URL I visit. Now they want to see the entire contents of multiple browser tabs?

And yet my healthcare company's IT department insists everyone only use Chrome on work computers.

I've been bringing up the HIPAA implications of that for years, but people just look at me like I asked the dog to do algebra. All the IT department cares about is that Chrome is free.