Meta built a tool to spy on its own employees down to every keystroke and cursor twitch, then left the resulting trove of private data — conversations, performance reviews, medical and tax information — accessible to every single person in the company. On Monday, Meta announced it would pause the program while it investigates. The stake for ordinary Americans is plain: the same corporations that hoover up your data and lecture the country about trust and safety cannot even secure the surveillance apparatus they turned on their own workforce.
The program is called the Model Capability Initiative, or MCI. Rolled out in April, it captures mouse movements, clicks, keystrokes, and occasional screenshots from U.S.-based employees' computers and feeds it all into Meta's AI models as training data. It was mandatory for most staff. More than 1,600 employees signed an internal petition protesting the laptop surveillance, warning it introduced "both security and regulatory risks for Meta, including the potential for breaches and unauthorized disclosure," according to WIRED. Their warning just came true.
An employee filed a high-priority security incident report — a SEV 2, per Business Insider — after discovering that sensitive worker data across 45,000 internal database tables had been left open to the entire company. The exposed material included "full prompts and transcriptions, private conversations, people & performance data, DSS sensitivity ratings," according to documents reviewed by Reuters and WIRED. One employee wrote on the internal incident discussion: "I have accessed both personal tax and medical information through my work computer, as have many thousands of employees. We were told this data would be protected and only used for valid business purposes after aggressive filtering." Reuters had already reported in May that MCI was collecting more information than initially described and storing it in unencrypted form.
This was not a hack. It was a permissions misconfiguration — an open filing cabinet designed and operated by Meta itself. The company that wants to train AI by watching its own workers work could not keep the resulting detail away from those same workers.
Meta spokesperson Tracy Clayton offered the standard line: "We have carefully designed this program with privacy safeguards and while we have no indication at this time that any data was improperly accessed by Meta employees, we're pausing it while we investigate." CTO Andrew Bosworth told staff the implementation had fallen short of the standards outlined in its privacy review, WIRED reported. The company declined to say how long the halt would last. As of Monday afternoon, the tool was still recording, according to a source who spoke to Reuters; the pause was rolling out gradually.
Zuckerberg himself justified the surveillance in leaked audio from a company meeting, telling employees that "AI models learn from watching really smart people do things" and that "the average intelligence of the people who are at this company is significantly higher" than the average contractor who could be hired to produce training data, WIRED reported. So Meta's workforce is smart enough to be harvested but not entitled to basic data protection.
Meta later offered workers a pause button — letting them switch off tracking for 30 minutes at a stretch. TNW noted the concession mainly underscored how constant the monitoring was otherwise. The program also arrived ahead of job cuts, sharpening the tension between workers and the surveillance software built to learn from them.
WIRED reported that the incident has been marked as closed internally, likely resolved. Bosworth said findings would be shared. Whether MCI returns in its current form, redesigned, or scrapped entirely remains unanswered.
The question that hangs in the air: if the most powerful tech company on earth cannot secure the panopticon it built for its own employees, what exactly is it doing with yours?
