A meta program to monitor mouse clicks made by employees in violation of EU privacy regulations

Internal documents reviewed by ​Reuters show Meta Platforms’ (META.O) effort to collect detailed logs of U.S. workers’ computer activity to train its artificial intelligence models is broader than previously stated and would sweep up non-U.S. information along the way.

The documents present significant challenges for the project – a major part of CEO Mark Zuckerberg’s bigger strategy to overhaul how the firm functions around AI agents – that might drag Meta into a new European privacy battle, rights groups told Reuters.

Last month the owner of Facebook and Instagram told staff it was introducing the tool to capture how people use computers including mouse movements, clicks and navigation through drop-down menus to construct AI agents that can automatically do routine software jobs.

The program, Model Capability Initiative or MCI, is gathering data from over 200 apps and websites, according to a list Meta shared with colleagues. The cuts will affect only U.S.-based personnel and protections are in place to protect sensitive information, the corporation said.

But in the weeks since the introduction, Meta employees have complained that MCI was using so much data it was generating spikes in their personal internet usage, in some cases devouring an entire month’s limit in just days, according to internal posts obtained by Reuters.

In a question-and-answer paper sent to staff, Meta also said the tool would collect the contents of any email or direct message sent to anybody in the U.S., no matter where the sender was located.

MCI was “not installed on devices used by employees in the U.S.,” and focused on how individuals interacted with their computers, not what was on their screens, Meta spokesperson Dave Arnold said in a statement.

“We told non-U.S. employees in the spirit of transparency that it was used on the computers of U.S. colleagues they might email or chat with in the normal course of business,” Arnold said.

He acknowledged the rough number of apps and websites the program is tracking, but declined to answer questions about how much data it is consuming and whether it is lawful.

“We’ve looked at and taken steps to mitigate any potential privacy concerns during the development of this tool and as we roll it out, and we remain committed to complying with all applicable laws and regulations,” he said.

GDPR Compliance Issues Increasing

The findings could add to Meta’s regulatory headaches in the EU, where digital companies are embroiled in fierce legal battles over data collection and use.

U.S. workers rarely have any protection against being monitored by their employer, but companies operating under the EU’s General Data Protection Regulation must have a legal basis for processing personal data, disclose what they collect and meet strict conditions for especially sensitive data like health information.

One entry in Meta’s FAQ sheet on MCI was on tracking from the perspective of a non-U.S. employee: “I’m based outside the U.S. “Will my conversations or data be picked up if I’m talking with a U.S.-based colleague who has the tool enabled?”

The company’s response: “If a U.S.-based colleague has the tool turned on while gchatting or emailing with someone outside the U.S., that activity would be captured.

Meta also noted in the FAQ that data acquired by MCI would be “dissociated” from identifying employee information and hence could not be looked up or deleted for individuals, a requirement in Europe.

Kleanthi Sardeli, a legal expert at privacy advocacy organization NOYB (“none of your business”), told Reuters that even minimal or indirect collection of EU employee data might put Meta in breach of GDPR requirements.

She said that key sticking points could include whether the tool’s acquisition of European data is deemed “incidental” or constitutes monitoring under the GDPR, and whether the effort can pass a “purpose limitation” test.

“Such data was originally obtained in the context of work communication and the performance of the employment contract. “Feeding an employee’s chat to an AI model does not align with that initial purpose,” Sardeli said.

Meta notified the Irish Data Protection Commission, the lead EU privacy regulator under GDPR, that neither EU employee data nor the recording of screen content “falls within the primary purpose of the tool,” a DPC representative told Reuters without elaborating.

“We are not going to comment on the company’s exchanges with regulators,” said Arnold, the Meta spokesperson.

BACKLASH FROM EMPLOYEES OVER DATA SCOPE

The MCI project is part of a sweeping reorganisation at Meta that aims to give over big chunks of labour to AI agents. That has led to an intense response among staff, who have compared Meta to a “Employee Data Extraction Factory.”

One employee discussed internal discoveries from a deep dive of MCI log files using Anthropic’s Claude, an AI tool Meta has been nudging employees to incorporate into their job.

The analysis – replicated by others – found that MCI was added to the company’s existing data security software, giving it access to more details including employees’ code changes, their computers’ sleep and wake cycles, URLs visited and any clipboard content they copy and paste, which it then stored less securely in unencrypted form.

The employee said that having that much data would allow the construction of “a complete behavioural model of how a knowledge worker does their job.”

Not ‘an AI that clicks a dropdown for you’ but ‘an AI that knows which dropdown to click, what to pick, which document to paste it into, and what to do next,’ she wrote.
Two additional employees told Reuters that the employee’s post later disappeared.

“The conclusions of the post are fundamentally inaccurate,” said Meta spokeswoman Arnold, who would not answer questions about its assertions or indicate if the firm had taken it down.

The interactions within Meta bolstered why Johnny Ryan, director of the Irish Council for Civil Liberties’ Enforce team, believes it is “essential” that the DPC investigate the effort, he told CNN.

“This situation, this case, is not only for Meta employees. It applies to every worker in any industry where they could be replaced. If people know what it is, everybody worries about this,” he said.