Meta has paused a controversial employee‑tracking program after an internal security review found that highly granular keystroke and screen‑capture data from staff laptops was far more widely accessible inside the company than intended.
The program was part of Meta’s Model Capability Initiative (MCI), which collected mouse movements, click locations, keystrokes, and screen content from employees’ work laptops to help train internal AI systems.
The program also introduced an obvious risk. Collecting highly sensitive employee activity data is one thing. Keeping it properly secured is another.
According to reporting based on internal documents and employee accounts, the data wasn’t just collected. It was left accessible across thousands of internal data tables, including AI prompts, transcriptions, private conversations, and performance‑related information.
After coverage of the exposure, Meta scaled back and then paused the initiative, amid sustained internal backlash and questions about whether privacy protections were ever more than a reassurance in a memo.
From Meta’s perspective, the Model Capability Initiative was an efficiency play. The goal was to provide AI models with “real examples of how people actually use computers” by passively logging how employees navigate everyday tools like Gmail, GChat, Metamate, and VS Code. Agents would be able to learn from live workflows instead of synthetic benchmarks.
Employees were promised that the data gathering would be limited to work apps and not employees’ phones. But you can imagine how it was perceived:
- Keystroke and mouse‑tracking software was pushed to US workers’ laptops, with no option to opt out on company devices, as confirmed internally by Meta’s CTO.
- The software captured inputs plus associated screen content, creating a behavioral dataset: what you type, where you click, what is on your screen while you do it.
The program prompted significant internal criticism. An engineer’s internal post protesting “laptop surveillance” and screen monitoring went viral inside Meta, sparking a petition to kill the program entirely.
From a compliance angle, employee-monitoring programs of this scope can raise difficult legal and regulatory questions, particularly in jurisdictions that require transparency around workplace surveillance and data collection.
The reputational impact is arguably even worse. When a company is always under scrutiny for tracking users, breaking trust with employees sends a strong signal about its default attitude toward data.
All this while knowing that keystroke and screenshot data is high‑risk by design. That type of data is content‑rich, behavioral, and often contains secrets. Collecting it at scale creates a security burden. Every new data point adds obligations around access control, minimization, retention, and audit, that the organization must actively manage for as long as the data exists.
- Access controls must be precise and regularly audited, because a simple misconfiguration can have big consequences.
- Data minimization and retention limits are essential since long‑term storage multiplies the impact of a potential breach.
- Any future data leak—internal or external—could expose not just emails, but the exact sequences employees type, including authentication flows and draft content. In the wrong hands, this kind of information could expose the company to compromise.
This episode is a reminder that every new dataset creates new responsibilities. The more detailed and sensitive the information, the greater the consequences when access controls fail.
Scammers don’t need to hack you. They just need you to click once.
Malwarebytes Identity Theft Protection catches suspicious activity before it becomes a problem.
