Meta is facing intense regulatory questioning over a new internal tracking tool designed to monitor U.S. employees’ computer usage. According to internal documents reviewed by Reuters, the system inadvertently captures data from European staff as well, potentially putting the tech giant in violation of the European Union’s stringent privacy regulations.
The Model Capability Initiative
The software, known as the Model Capability Initiative (MCI), was developed to train artificial intelligence (AI) models by observing how humans interact with their computers. It logs granular actions—including mouse movements, clicks, keystrokes, and dropdown menu navigation—across more than 200 applications and websites.
While Meta previously asserted that the surveillance tool would only impact U.S.-based employees, the company acknowledged in a recently surfaced internal Q&A document that the system captures the contents of emails and direct messages sent to U.S. personnel, regardless of where the sender is located.
Bandwidth Spikes and Internal Backlash
Since the tool’s deployment, Meta employees have voiced significant frustration. Internal message boards reveal that MCI consumes so much data that it has caused massive spikes in home internet usage, with some workers reporting that the software exhausted their entire monthly data quotas in just a few days.
Employees have fiercely criticized the initiative, mocking the company as an “Employee Data Extraction Factory” and expressing fears that they are training the very AI agents meant to replace them.
Dave Arnold, a spokesperson for Meta, defended the initiative, emphasizing that MCI is installed strictly on U.S. devices. He stated that the tool focuses on user-computer interaction mechanics rather than the substantive content of screens.
“In the interest of transparency, we notified employees outside the U.S. that the tool was deployed on the computers of their U.S. colleagues with whom they might exchange emails or chat during the course of normal work,” Arnold said.
GDPR Compliance and Regulatory Friction
The indirect collection of European data threatens to deepen Meta’s regulatory challenges in the EU, where tech companies are already navigating a complex legal landscape regarding data processing. Under the General Data Protection Regulation (GDPR), companies must establish a solid legal basis for processing personal data and meet strict conditions for sensitive information.
Kleanthi Sardeli, a legal expert at the privacy advocacy group NOYB (“None of Your Business”), told Reuters that even the limited or incidental capture of European employees’ data could constitute a GDPR violation. At the heart of the issue is whether this data collection passes the GDPR’s “purpose limitation” test, or if it counts as unauthorized monitoring.
“These data were originally collected for work communication and the fulfillment of an employment contract,” Sardeli explained. “Taking an employee’s chat and ingesting it into an AI model is incompatible with that initial purpose.”
Meta has reportedly informed the Irish Data Protection Commission (DPC)—its lead privacy regulator in the EU—that the collection of European employee data and screen recordings “does not fall within the primary purpose of the tool,” according to a DPC spokesperson.
Security Concerns and Behavioral Modeling
The MCI project is part of a broader structural overhaul at Meta aimed at delegating large swaths of knowledge work to autonomous AI agents. However, the technical implementation has raised alarms internally.
In a detailed internal post, one employee shared findings from an analysis of MCI’s log files, conducted with the help of Anthropic’s Claude AI. The analysis—which was reportedly replicated by other staff members—revealed that MCI was tethered to Meta’s existing data security software. This connection allegedly grants the tool access to unencrypted, highly sensitive information, including:
- Source code changes
- Computer sleep-wake cycles
- Visited URLs
- Copied and pasted clipboard contents
Compiling this massive volume of data, the employee warned, enables the creation of a “complete behavioral model of how a knowledge worker does their job.”
“It’s not ‘an AI that clicks a dropdown for you,’ but ‘an AI that knows which dropdown to click, what to select, what document to paste into, and what to do next,'” the worker wrote.
According to two employees who spoke to Reuters, the post detailing these findings subsequently vanished from internal forums. When questioned, Arnold declined to confirm whether Meta removed the post but characterized the employee’s conclusions as “fundamentally inaccurate.”
Johnny Ryan, Director of the Enforce unit at the Irish Council for Civil Liberties (ICCL), argued that the internal conflict at Meta underscores the urgent need for a DPC investigation.
“This situation, this case, is not limited to Meta employees. It relates to every employee in every sector where they could be replaced,” Ryan said. “Everyone cares about this if they understand what it is.”
Source: Olhar Digital, Reuters
