⚡ URGENT · GC ACTION BRIEF · FIRST-MOVER WINDOW OPEN NOW
To: Amani Joffe · GC EOSE Labs Inc. + GC Scarborough Transit Connect (~$10B SSE)
From: Kay Joffe + EOSE Legal Intelligence (msi01 Admiral)
Re: Google Chrome Gemini Nano — Canadian legal strategy
Urgency: CASL 3-year limitation period runs from May 2026 (researcher public disclosure). OPC complaint: no limitation. First-mover who files shapes the precedent.
30-SECOND BRIEF
Google Chrome silently installed a 4GB AI model (Gemini Nano) on hundreds of millions of devices since 2024 with no consent, no opt-in, no notification, and a re-download persistence mechanism that re-installs the model after deletion. The model has an API surface accessible by any website.
In Canada: prima facie CASL s.8 violation (express consent required for computer program installation) + PIPEDA meaningful consent violation. The re-download behaviour is legally equivalent to rootkit persistence and is the aggravating factor courts will focus on.
Ontario CASL s.47 exposure: ~$1.26 billion (6.3M Ontario devices × $200/installation). This is the strongest CASL s.8 case ever available. The first-mover who files shapes Canadian AI/consent law for the next decade.
THE LEGAL FACTS AMANI NEEDS
- 1Chrome downloaded Gemini Nano (~4GB) silently to every eligible device — no prompt, no opt-in, no notification
- 2Persistence: delete the model → Chrome re-downloads silently on next restart. This is the legally aggravating factor (rootkit-equivalent behaviour)
- 3The model has an open API (chrome.ai.languageModel) callable by any website — so any site can invoke it to process user's browsing context locally
- 4Google's defence: "Our ToS says software sometimes updates automatically." This fails: Gemini Nano is not an update to Chrome, it's a new AI model — a new computer program requiring fresh express consent
- 5EU rollout is staged (multiple EU users report no download). This means Google knows the deployment raises legal issues — they're avoiding the EU first
- 6February 2026: Google added a settings toggle to disable it. This proves they knew consent was needed — they deployed first, disclosed later. Classic "collect first, defend later" pattern (See: OPC v. Clearview AI)
- 7Closest precedent: Sony BMG rootkit (2005) — settled $150M. Chrome case is stronger (larger scale, open API surface, more aggressive persistence)
THREE PARALLEL STRATEGIES (RECOMMEND ALL THREE)
STRATEGY 1
OPC + CRTC Regulatory
File OPC complaint (PIPEDA consent) + CRTC referral (CASL s.8) simultaneously.
Cost: Near zero
Timeline: 12-24 months
Value: Sets Canadian precedent. Creates public record. Positions EOSE as authority.
Amani can sign as affected individual. EOSE provides technical evidence. OPC has investigative jurisdiction, no limitation period.
IMMEDIATE — file this week
STRATEGY 2
Ontario Class Action
CASL s.47 private right of action.
Exposure: ~$1.26B Ontario (statutory)
Timeline: 3-5yr to trial, settlement pressure at 12-18 months
Counsel: Koskie Minsky, Paliare Roland, Merchant Law Group
Finance: Litigation finance available for class actions at this scale
EOSE role: DA-ENGINE + DA-CORPUS as technical evidence foundation
RETAIN COUNSEL THIS MONTH
STRATEGY 3
Enterprise B2B Advisory
Amani's GC network is the distribution channel.
Product: "Chrome Gemini Nano: Enterprise Legal Risk Assessment"
Format: GC to GC briefing (Amani is the messenger)
STC angle: $10B public infrastructure project — procurement integrity risk
Revenue: Immediate advisory fees + EOSE sovereign alternative positioning
Every enterprise GC now has this problem. Amani has the solution.
IMMEDIATE — use your GC network
SCARBOROUGH TRANSIT CONNECT SPECIFIC RISK
The Scarborough Transit Connect project (~$10B SSE subway) operates with enterprise Chrome on project devices. If Chrome's Gemini Nano processes any project-related browsing context (procurement negotiations, contractor communications, engineering documents, financial terms) via the chrome.ai API — third-party exposure risk exists.
Procurement integrity question: Is sensitive procurement data being processed by a Google AI model on project devices? Does this meet the project's data handling obligations?
Action: Brief STC IT/security team. Recommend immediate Chrome policy (disable On-device AI via Group Policy). Document the remediation steps taken — this creates a defensible record.
WHAT EOSE BUILT (for Amani's understanding of the sovereign alternative)
EOSE runs local AI models (yone/forge, RTX 5090/5080, 64GB RAM) under direct fleet control.
Models invoked ONLY by authorised EOSE workflows · SOSTLE-gated access control · No external API surface
Audit-logged (every invocation in PEMLAAM sovereign graph) · Immediately revocable · No re-download
This is what Google SHOULD have done. They didn't because enterprise consent is slower and more expensive than silent update-channel deployment. EOSE proves the correct approach exists and is commercially viable.
IMMEDIATE ACTIONS FOR AMANI THIS WEEK
- URGENT: Check all EOSE-owned/managed devices. Visit chrome://on-device-internals to confirm if Gemini Nano is present. If yes: confirmed CASL violation on EOSE estate.
- URGENT: Brief STC IT team — project devices running Chrome need immediate On-device AI disable via Settings → System → Turn On-device AI off.
- This week: File OPC complaint (cost: zero, high value). Amani can sign as affected individual. EOSE provides technical DA-CORPUS as supporting evidence.
- This week: File CRTC complaint (CASL s.8 referral). CRTC actively seeks novel CASL cases — this is exactly what they want.
- This month: Preliminary conversation with class action counsel (Koskie Minsky / Paliare Roland). No commitment, just explore certification theory.
- This month: Draft advisory paper for GC network: "Chrome Gemini Nano — What Every Enterprise GC Needs to Know." EOSE produces, Amani reviews and distributes.