Exclusive-Meta tool to track employee mouse clicks on collision course with EU privacy rules
· CNA · JoinRead a summary of this article on FAST.
Get bite-sized news via a new
cards interface. Give it a try.
Click here to return to FAST Tap here to return to FAST
FAST
NEW YORK/AMSTERDAM, May 29 : Meta Platforms' plan to collect detailed records of U.S. employees’ computer usage for training its AI models is more extensive than initially described and set to capture non-U.S. data in the process, according to internal documentation seen by Reuters.
The documents introduce fresh complications for the project — a key component of CEO Mark Zuckerberg’s broader plan to transform how the company operates around AI agents — that could draw Meta into a new European privacy fight, rights groups told Reuters.
The Facebook and Instagram owner told staff last month it was launching the tool to capture how people use computers, including mouse movements, clicks and navigation through dropdown menus, in order to build AI agents that can perform everyday software tasks autonomously.
The tool, called Model Capability Initiative, or MCI, is pulling in data from more than 200 apps and websites, according to a list Meta shared with staffers. The company said it would impact only U.S. employees and that safeguards were in place to protect sensitive information.
CNA Games
Guess Word
Crack the word, one row at a time
Buzzword
Create words using the given letters
Mini Sudoku
Tiny puzzle, mighty brain teaser
Mini Crossword
Small grid, big challenge
Word Search
Spot as many words as you can
Show More
Show Less
In the weeks since its launch, however, Meta employees have complained that MCI was consuming so much data that it was causing their home internet usage to spike, in some cases using up an entire month’s quota within days, according to internal posts seen by Reuters.
Meta also acknowledged in a question-and-answer document provided to employees that the tool would capture the contents of any emails or direct messages sent to U.S. personnel, regardless of the sender’s location.
In a statement, Meta spokesperson Dave Arnold said MCI was installed only on U.S. employees’ devices and that its focus was on how people interact with computers, not the content on their screens.
“In the interest of transparency, we notified non-U.S. employees that it was deployed on the computers of U.S. colleagues they may email or chat with in the normal course of business,” said Arnold.
He confirmed the approximate number of apps and websites the tool is tracking, but declined to answer detailed questions about how much data it is ingesting and its legality.
“We carefully considered and mitigated potential privacy risks in both the development and deployment of this tool, and we are committed to complying with applicable laws and regulations," he said.
GDPR COMPLIANCE QUESTIONS EMERGE
The findings could deepen Meta’s regulatory troubles in the European Union, where tech companies are facing heated legal clashes over how they collect and deploy data.
While U.S. workers have few protections against employer surveillance, companies operating under the EU’s General Data Protection Regulation must have a legal basis for processing personal data, disclose what is collected and meet strict conditions for especially sensitive data like health information.
In Meta’s FAQ document on MCI, one entry addressed the tracking from the perspective of a non-U.S. employee: “I'm based outside the U.S. Will my conversations or data be captured if I'm communicating with a U.S.-based colleague who has the tool enabled?”
The company's response: “If a U.S.-based colleague has the tool enabled while gchatting or emailing with someone outside the U.S., that activity would be captured.”
Meta also said in the FAQ that data collected by MCI would be “dissociated” from identifying employee information and therefore could not be looked up or deleted for individuals, a requirement in Europe.
Kleanthi Sardeli, a legal expert at privacy advocacy group NOYB ("none of your business"), told Reuters that even limited or indirect capture of EU employee data could put Meta in violation of GDPR rules.
Key sticking points could include whether the tool’s collection of European data is considered “incidental” or counted as monitoring under the GDPR, and whether the initiative can pass a “purpose limitation” test, she added.
“This data was originally collected for the purpose of work communication and fulfilling an employment contract. Taking an employee's chat and ingesting it into an AI model is incompatible with that initial purpose,” said Sardeli.
Meta told the Irish Data Protection Commission, its lead EU privacy regulator under GDPR, that neither EU employee data nor the recording of screen content "falls within the primary purpose of the tool," a DPC spokesperson told Reuters, without elaborating.
Arnold, the Meta spokesperson, declined to comment on the company’s exchanges with regulators.
EMPLOYEE BACKLASH OVER DATA SCOPE
The MCI project is part of a far-reaching restructuring at Meta aimed at handing large swaths of work over to AI agents, which has prompted an angry backlash among employees, who have likened Meta to an “Employee Data Extraction Factory.”
In an internal post, one employee shared findings of a detailed analysis of MCI log files performed with the aid of Anthropic’s Claude, the type of AI tool Meta has been pushing staffers to incorporate into their workflows.
According to the analysis — replicated by others — MCI was tacked on to the company’s existing data security software, giving it access to additional details including employees’ code changes, their computers’ sleep and wake cycles, URLs visited and any clipboard content they copy and paste, which it then stored less securely in unencrypted form.
Compiling that volume of data would make it possible to build “a complete behavioral model of how a knowledge worker does their job,” the employee wrote.
“Not ‘an AI that clicks a dropdown for you’ but ‘an AI that knows which dropdown to click, what to select, which document to paste it into, and what to do next,'” she wrote.
The employee’s post later vanished, two other employees told Reuters.
Arnold, the Meta spokesperson, called the post’s conclusions “fundamentally inaccurate,” but declined to address questions about its claims or say whether the company had removed it.
Johnny Ryan, director of the Irish Council for Civil Liberties' Enforce unit, said the exchanges inside Meta reinforced why he considers it “essential” that the DPC investigate the initiative.
“This situation, this case, is not limited to Meta employees. It relates to every employee in every sector where they could be replaced. Everybody cares about this if they understand what it is,” he said.
Newsletter
Week in Review
Subscribe to our Chief Editor’s Week in Review
Our chief editor shares analysis and picks of the week's biggest news every Saturday.
Sign up for our newsletters
Get our pick of top stories and thought-provoking articles in your inbox
Get the CNA app
Stay updated with notifications for breaking news and our best stories
Get WhatsApp alerts
Join our channel for the top reads for the day on your preferred chat app