Overview
Internal documentation and employee postings describe a Meta Platforms initiative to record granular computer usage data from staff devices as part of an effort to train AI that can carry out routine software tasks. The effort, known within the company as the Model Capability Initiative, or MCI, is reported to capture mouse movements, clicks, and navigation through dropdown menus, and to ingest information from more than 200 applications and websites.
Meta has told employees that the software is deployed on machines used by U.S. personnel and defended the program as focused on interaction patterns rather than the literal content displayed on screens. At the same time, documents and internal questions and answers shared with staff acknowledge that the tool will capture the contents of emails or direct messages sent to U.S. employees, regardless of where the sender is located. That admission, along with staff accounts that MCI is collecting large volumes of data and sometimes straining personal internet connections, has renewed concerns among privacy experts about compliance with European data protections.
How MCI works, according to internal material and employee accounts
Company communications describing MCI say the tool records how people use computers with the express aim of building autonomous AI agents that can handle everyday software tasks. The list of tracked items provided to employees covers more than 200 apps and websites, and internal Q&A material explicitly addresses what happens when U.S.-based staff with MCI enabled interact with colleagues overseas.
One response in the company FAQ states that if a U.S.-based colleague has the tool enabled while "gchatting or emailing with someone outside the U.S., that activity would be captured." The FAQ also indicates that MCI data will be "dissociated" from identifying employee information, and consequently could not be searched for or removed at an individual level - a limitation that privacy advocates have flagged as potentially inconsistent with European rights to access and erasure.
Employees have reported other operational effects. Internal posts seen by staff describe instances in which MCI’s data collection caused employees' home internet usage to spike, in some cases exhausting monthly data allowances within days. That practical impact has heightened concern among workers about the project’s scale and intrusiveness.
Company response
A Meta spokesperson, Dave Arnold, said MCI was installed only on U.S. employees' devices and that the tool's stated focus is on interaction patterns rather than on screen content. "In the interest of transparency, we notified non-U.S. employees that it was deployed on the computers of U.S. colleagues they may email or chat with in the normal course of business," Arnold said. He confirmed the approximate number of apps and websites the tool is tracking but declined to provide detailed figures about total data ingestion or to discuss legal assessments in depth.
Arnold added that the company "carefully considered and mitigated potential privacy risks in both the development and deployment of this tool, and we are committed to complying with applicable laws and regulations." He called the claims in an internal post about the tool's capabilities "fundamentally inaccurate," but declined to answer further questions about the post or whether it was removed.
Privacy and regulatory questions under GDPR
Meta's approach and the tool's cross-border capture of communications have prompted scrutiny from privacy advocates and regulators in Europe. Under the European Union's General Data Protection Regulation, companies must have a lawful basis to process personal data, disclose what they collect, and satisfy strict conditions for particularly sensitive categories of information. Advocates caution that even indirect or incidental capture of data belonging to EU-based employees could trigger GDPR obligations.
Kleanthi Sardeli, a legal expert at the privacy advocacy group NOYB, said limited or indirect collection of EU employee data could put Meta in breach of GDPR. Sardeli highlighted two possible issues: whether the collection of European data is merely "incidental" or amounts to monitoring, and whether the initiative meets the principle of "purpose limitation." "This data was originally collected for the purpose of work communication and fulfilling an employment contract. Taking an employee's chat and ingesting it into an AI model is incompatible with that initial purpose," she said.
A spokesperson for the Irish Data Protection Commission said Meta told the regulator that neither EU employee data nor recording of screen content "falls within the primary purpose of the tool." The company did not elaborate publicly on its exchanges with the regulator, and the Meta spokesperson declined to comment on those discussions.
Employee reaction and operational concerns
The MCI rollout forms part of a wider reorganization within the company aimed at shifting a portion of workers' responsibilities to AI agents. That broader change has generated internal apprehension and resistance. Some employees have characterized the program as an "Employee Data Extraction Factory," reflecting worry about the scale and granularity of behavioral data being collected.
In one internal post, an employee described a detailed analysis of MCI log files conducted with the help of Anthropic's Claude, an AI assistant that the company has encouraged staff to use. According to the employee's write-up - which other staff members replicated - MCI appeared to be integrated into existing data security software, thereby inheriting greater access to system details. The analysis asserted the tool collected a range of technical signals, including code changes, system sleep and wake cycles, URLs visited, and clipboard contents copied and pasted by users. The employee claimed that some of this information was then stored in unencrypted form, which, they argued, made it easier to compile a comprehensive behavioral model of how knowledge workers perform tasks.
That post suggested the data could enable an AI not only to perform a single click but to determine which dropdown to select, which document to paste content into, and what subsequent steps to take - in effect modeling the full sequence of an employee's task. The employee later reported that their post was removed from the internal forum; a Meta representative described the post's conclusions as inaccurate but would not confirm whether the company had taken it down.
Johnny Ryan, director of the Irish Council for Civil Liberties' Enforce unit, said the internal exchanges reinforced his view that the national data protection authority should investigate the initiative. "This situation, this case, is not limited to Meta employees. It relates to every employee in every sector where they could be replaced. Everybody cares about this if they understand what it is," he said.
Implications
The debate around MCI highlights tensions between corporate efforts to accelerate AI-driven automation and regulatory frameworks that place constraints on personal data processing. The tool's technical design, the company's stated deployment boundaries, and the practical evidence of cross-border data capture combine to raise legal and reputational uncertainties that will likely draw continued attention from privacy advocates, employees, and European regulators.