A Meta engineer posted an internal security notice this week — not a routine update, not a scheduled audit finding. A warning that databases from the company’s Model Capability Initiative were exposed broadly to any Meta employee who cared to look. The tool had been quietly logging employee keystrokes, mouse clicks, and screen content since April. The company that turned its own workforce into AI training data couldn’t keep that data safe from its own workforce. Like finding out your Ring doorbell has been streaming to the entire neighborhood — a pattern of covert monitoring that echoes reports of apps secretly tracking users without their knowledge.
What MCI Actually Does
Meta launched an always-on monitoring tool across U.S. employee laptops in April — with no opt-out at launch.
Every keystroke. Every mouse movement. Periodic screen snapshots across Google, LinkedIn, Slack, GitHub, and Atlassian tools. MCI captures all of it from company-issued laptops, feeding the data to AI models learning to navigate software like a human operator. Employees couldn’t opt out when the program launched. Meta’s stated promise: none of this touches performance reviews. “Carefully designed with privacy safeguards,” spokesperson Tracy Clayton told Wired.
Before the leak, employees were already calling this dystopian. Internal critics described Meta as an “employee data extraction factory,” according to public commentary obtained by reporters. Following layoffs tied to AI efficiency drives, workers weren’t just worried about privacy — they feared training their own replacements. Meta’s concession?
- A 30-minute pause button
- Exemptions for some remote or sensitive-data workers
Most staff remained covered.
The warnings about data mishandling weren’t new. Activist employees say they told leadership this would happen, describing the incident as a “mess,” per Wired’s reporting.
When the Safeguards Fail
Policy promises without hard technical controls delivered exactly the outcome critics predicted.
Buried in an internal forum post, the damage was plain: MCI’s collected data sat in databases any Meta employee could access. Workplace monitoring experts have long argued that written assurances mean nothing without enforced technical controls — the digital equivalent of a “Please Don’t Read” sticky note on an unlocked filing cabinet. Meta had the policy. It skipped the architecture. Clayton confirmed the program is paused pending investigation, with no evidence of improper access found so far.
The fallout extends beyond Menlo Park. If you work for any large tech employer, this is your preview. The MCI model — harvesting employee behavior as proprietary AI training data — offers a genuine competitive edge if executed cleanly. Privacy advocates warn it would likely conflict with GDPR principles if extended to EU workers. Internally, morale sits at what employees describe as “an all-time low,” a dynamic that fits a long-running pattern of tech scandals taking advantage of people who trusted these platforms.
Meta’s stumble doesn’t kill this category of tool. It proves the guardrails have to come before the ambition — and right now, Meta is still figuring out which it actually built first.
