What we know so far: Meta's latest AI push appears to be built on something broader than it initially suggested: a detailed, ongoing log of how its employees use their work computers. How this plays out – whether as a win for Meta's AI ambitions or a regulatory headache – will depend on whether regulators accept Meta's distinction between behavioral data and personal information.
Internal documents reviewed by Reuters show that the company's Model Capability Initiative (MCI) is collecting interaction data across more than 200 apps and websites. The goal is to train AI systems to perform routine digital tasks autonomously. But exactly what the tool is collecting – and how far that collection extends – is drawing scrutiny both inside Meta and from privacy advocates.
At a basic level, MCI tracks how employees move through software: mouse movements, clicks, and navigation patterns. This kind of telemetry is useful for building AI agents that can replicate common workflows. Over time, these patterns could help train systems that don't just respond to prompts but also carry out multi-step tasks within standard workplace software.
What Meta did not initially emphasize is how much additional data may be pulled into that process.
According to internal materials, the system also captures the contents of emails and messages sent to US-based employees, even when those messages originate from colleagues overseas. In practice, that creates a potential backdoor flow of international data into the training pipeline. Meta acknowledged this in an internal FAQ, stating: "If a US-based colleague has the tool enabled while GChatting or emailing with someone outside the US, that activity would be captured."
The company maintains that the tool is installed only on US devices and is designed to analyze interaction behavior rather than the substance of communications. "In the interest of transparency, we notified non-US employees that it was deployed on the computers of US colleagues they may email or chat with in the normal course of business," said Meta spokesperson Dave Arnold. He added that Meta had weighed privacy risks during development and rollout and remained committed to complying with applicable laws and regulations.
Still, internally, some employees say the system behaves less like a narrow research tool and more like a broad data-capture layer embedded within existing monitoring software. Analyses shared within the company suggest MCI logs a wide range of activity, including code changes, browsing history, device sleep cycles, and clipboard actions.
If accurate, that would give Meta a near end-to-end view of how knowledge workers actually operate across tools – far more detailed than simple usage metrics.
One employee described the distinction this way: "Not 'an AI that clicks a dropdown for you' but 'an AI that knows which dropdown to click, what to select, which document to paste it into, and what to do next.'" The post containing that analysis was later removed, according to other employees.
Arnold disputed those claims, calling them "fundamentally inaccurate," but did not address the specific technical points raised.
There are also practical concerns about how the system operates. Employees have reported sharp increases in data usage after MCI was installed, with some saying it consumed an entire month's home internet allowance in just a few days. That kind of spike suggests the tool may be logging and uploading data continuously rather than sampling at wider intervals.
Outside the company, attention is turning to how this kind of data collection fits within existing privacy frameworks – particularly in Europe. Even if Meta's systems are technically limited to US infrastructure, the incidental capture of communications involving European employees could trigger obligations under the EU's General Data Protection Regulation.
Kleanthi Sardeli, a legal expert at privacy group NOYB, said the issue comes down to how that data is being repurposed. "This data was originally collected for the purpose of work communication and fulfilling an employment contract. Taking an employee's chat and ingesting it into an AI model is incompatible with that initial purpose," she told Reuters.
Meta has told Ireland's Data Protection Commission that collecting EU employee data is not the tool's primary objective, though it has not publicly detailed how incidental collection is handled.
The broader context is a company increasingly organized around automation. MCI is one piece of a larger effort to build AI agents that can take over routine digital work, from navigating internal tools to executing repetitive tasks. That shift has already sparked internal resistance, with some employees describing the initiative as an aggressive attempt to convert human workflows into machine-readable systems.
For privacy advocates, the implications extend well beyond Meta. Johnny Ryan of the Irish Council for Civil Liberties said the project reflects a wider shift in how work itself is being modeled. "This situation, this case, is not limited to Meta employees. It relates to every employee in every sector where they could be replaced. Everybody cares about this if they understand what it is," he said.