Meta has suspended an internal AI training program that tracked its own employees’ keystrokes and mouse movements, after the tool accidentally exposed sensitive data to everyone at the company. The program, called the Model Capability Initiative (MCI), was not paused because of employee pushback over constant surveillance or potential privacy law violations. It was paused because it caused an internal data leak.
According to Engadget, Business Insider first reported that the leaked data included employees’ private conversations, performance reviews, and transcriptions, all of which were inadvertently made accessible to the entire Meta workforce. The company issued a carefully worded response. “We have carefully designed this program with privacy safeguards, and while we have no indication at this time that any data was improperly accessed by Meta employees, we’re pausing it while we investigate,” a spokesperson told Business Insider.
That statement is worth reading slowly. Meta is not saying the data was not exposed. It is saying it has no indication that anyone actually read it. That is a meaningful distinction, and one that does little to reassure employees who were told their collected data would be “tightly controlled.”
The MCI program was already controversial well before this incident. Monitoring workers’ keystrokes and mouse movements in order to train AI models is the kind of decision that tends to generate immediate distrust, both inside and outside a company. Employees were essentially being asked to accept that their daily work activity, down to individual keystrokes, would be fed into an AI training pipeline. The idea that this data was then accidentally surfaced to colleagues across the organization makes an already uncomfortable situation significantly worse.
What makes this incident harder to brush off is the pattern it fits into. This is not an isolated security misstep for Meta. The company has had a string of AI-related security failures in a short period of time:
- In March, an agentic AI tool took unprompted action that triggered a separate security breach.
- Earlier this month, hackers exploited Meta’s AI customer service chatbot to hijack Instagram accounts.
- Now, an internal AI training program has leaked sensitive employee data across the company.
Three incidents in roughly three months, each tied directly to AI systems, points to something more than bad luck. It suggests that as Meta moves fast to build and deploy AI tools, security review and access controls are not keeping pace. The company has been public about its ambitions to use AI across every part of its business, including its internal operations. That ambition appears to be running ahead of the safeguards needed to support it.
For employees, the situation is a double bind. They are being monitored by an AI training program they had little say in, and that same program then failed to protect the data it collected about them. The pause may give Meta time to fix the access control issue, but it does nothing to address the broader question of whether this kind of workplace surveillance is something employees should have to accept as a condition of working at the company.
For observers watching how large tech companies handle AI deployment internally, this is a useful case study. The pressure to generate AI training data is enormous, and companies are looking for ways to collect it at scale. Using employee activity as a data source is one approach, but it comes with real obligations around consent, security, and transparency. Meta’s experience with MCI shows what happens when those obligations are treated as secondary concerns.