The Model Capability Initiative, which logs mouse movements and keystrokes to train Meta’s AI, is on hold after sensitive staff data was left accessible to the whole company.
Meta has paused a programme that watches its own employees work. On Monday 22 June 2026, the company said it would halt the internal tool that tracks staff mouse movements and digital activity to train its AI models, while it investigates how a trove of sensitive employee data ended up readable by anyone at the company.
The tool is the Model Capability Initiative, or MCI, rolled out in April 2026. As earlier reporting on the software laid out, it captures the mouse movements, clicks, and keystrokes of US-based employees, with occasional screenshots, and feeds the lot into Meta’s models as training data.
The idea is to teach AI systems how human workers actually navigate tasks. The side effect, it turns out, was a sizeable pool of personal information sitting in the open.
The pause follows revelations, drawn from documents reviewed by Reuters, that sensitive employee data was inadvertently accessible to all Meta staff.
The exposed material reportedly included private conversations, performance data, and transcriptions, the sort of records that are uncomfortable enough when held by HR, let alone visible across an entire workforce.
The irony is hard to miss. A programme built to harvest the fine detail of how employees work, down to the cursor twitch, failed to keep the resulting detail away from the very employees it was watching.
The exposure was not a breach by an outside attacker but a permissions problem, the kind of internal misconfiguration that turns a surveillance dataset into an open filing cabinet, and one that is squarely Meta’s to answer for given the company designed and ran the collection itself.
Meta did not dispute the substance.
“We have carefully designed this program with privacy safeguards and while we have no indication at this time that any data was improperly accessed by Meta employees, we’re pausing it while we investigate,” spokesperson Tracy Clayton said.
The company declined to say how long the halt would last, which leaves the programme suspended without a stated reopening date.
MCI has been contentious inside Meta from the start, and not only over security. The collection drew protest from employees who objected to being surveilled by software built to learn from them, a tension sharpened by its arrival ahead of job cuts.
In an attempt to soften the friction, Meta later offered a pause button letting workers switch off the tracking for 30 minutes at a stretch, a concession that managed to underline how constant the monitoring otherwise was.
The legal exposure has loomed larger than the office grumbling. Logging keystrokes and screenshots of identifiable employees runs straight into Europe’s data-protection regime, and the programme has been flagged for a likely collision with GDPR, which sets a high bar for processing personal data and treats workplace consent as shaky given the power imbalance between employer and staff.
A leak that made sensitive records broadly accessible is precisely the failure such rules are written to prevent.
For now the cursors are no longer being recorded, at least not by MCI. Meta has said it will investigate, has not said for how long, and has not indicated whether the programme returns in its current form, in a redesigned one, or not at all. Those answers, like the data that prompted the pause, are being kept in-house.
