Meta Pauses Its Employee-Tracking AI Program After Sensitive Data Exposure

Meta paused a controversial internal program with which it tracked its employees, after sensitive data belonging to those employees was exposed to anyone working at the company. The program, known internally as the "Model Capability Initiative" (MCI), launched in April 2026 with the aim of training Meta's AI systems on how its employees work. The company halted it on June 22, 2026, while investigating a security issue.

What Did the Program Collect?

MCI captured from Meta's US-based employees their mouse movements, clicks, and keystrokes, in addition to periodic screenshots of what was happening on their screens. The stated goal: to teach AI models how human workers navigate between tasks and complete them on a computer — an area where AI has long struggled. Meta's chief technology officer had told employees in an internal memo that collecting this data would help the company operate more efficiently via "agents" that do most of the work, so the human role becomes directing and reviewing.

Not an External Breach... but an Internal Misconfiguration

A crucial point to clarify: the exposure was not the result of an external attack, but a permissions misconfiguration that made a huge pool of detailed employee behavioral data readable by any employee inside the company. According to reports, the exposed data included private conversations, performance data, and transcriptions. The problem was discovered on June 18 and addressed within four hours, but the first fix did not hold, so the company had to lock down access further. A Meta spokesperson said there was "no indication at this time" of improper data access, and that the program was paused pending the completion of the investigation.

Internal Controversy Predating the Leak

MCI had been controversial inside Meta since its launch, for reasons beyond security. Employees objected to being monitored by software designed to learn from them, a tension sharpened because the program arrived ahead of a series of layoffs that included a May 2026 announcement to cut 8,000 jobs. To ease this concern, Meta added a "pause" feature that lets an employee disable tracking for up to thirty minutes at a time — an addition that itself revealed how pervasive the monitoring had become. Those who objected earlier say leadership "doubled down" and ignored employees' concerns about the privacy of their data and customer data.

Legal Dimensions: The Specter of GDPR

The program's risks extend beyond office grumbling to legal accountability. Logging keystrokes and screenshots of identifiable employees runs straight into Europe's data-protection regime (GDPR), which sets a strict standard for processing personal data and treats an employee's "consent" in the workplace as unreliable due to the power imbalance between employer and employee. A leak that makes sensitive records broadly accessible is precisely the kind of failure those rules were written to prevent.

A Broader Lesson for Organizations

The incident raises a question beyond Meta: as more companies experiment with monitoring work patterns to train assistants and agents, every set of behavioral data collected becomes a new security burden. Once work behavior is collected to train AI, every app, message, and screen becomes part of the protection responsibility. The lesson is that such programs require strict internal access controls matching the sensitivity of the data, rather than leaving a huge pool exposed to all workers. As of this writing, MCI remains paused, with Meta not specifying a date for its return or whether it will come back in its current form, redesigned, or be discontinued.