3 Minutes
Imagine every mouse twitch, every copy-paste, and every late-night code edit being recorded and stored. That’s the image painted by leaked internal documents about a new Meta tracking system called MCI — and it has privacy experts in Europe on edge.
Meta rolled out MCI as a tool to observe how employees interact with software and websites, ostensibly to gather real-world usage data to train AI assistants. The company told the public in April that the system would be limited to U.S.-based staff. But the documents reveal a different story: MCI reportedly monitors more than 200 apps and websites, captures clicks and cursor movements, and pulls in clipboard contents, browsing histories, code changes and even machine on/off timestamps.
Employees objected almost immediately. Protests, petitions and leaflets circulated inside teams. Some staff feared the data would be used to train models that could replace their roles. Others flagged a practical problem: the tool’s heavy network usage reportedly burned through monthly internet allocations for some workers within days.
The most alarming revelation is that MCI logs emails and messages sent to U.S. employees regardless of where the sender is located — meaning European staff who message American colleagues could have their communications recorded. That admission, according to legal experts, puts Meta squarely under the scrutiny of Europe’s General Data Protection Regulation. Even limited or incidental collection of EU employees’ personal data can trigger GDPR obligations and potential enforcement actions.
One insider’s analysis suggests the data is kept unencrypted and could be used to assemble detailed behavioral profiles: how engineers write code, which webpages colleagues visit, and when workstations are toggled on or off. Privacy advocates warn such profiles are precisely the type of surveillance that can chill workplace autonomy and erode trust.
Meta’s spokespeople say non-U.S. staff were informed about the system’s presence when interacting with U.S.-based colleagues and that the company designs tools to comply with applicable privacy laws while mitigating risks during development. The Irish Data Protection Commission — Meta’s primary regulator in the EU — has not published a formal response at the time of reporting. Civil liberties groups and data lawyers are calling for rapid, independent inquiry.
There are practical and ethical questions here, not just legal ones. Who decides which signals from a keyboard or a cursor constitute product insight and which amount to invasive surveillance? As tech companies race to refine AI with real-world usage data, the balance between innovation and workers’ privacy will be tested in courtrooms and regulators’ offices alike.
Leave a Comment