Meta's employee tracking tool captures global data, raising EU privacy rule concerns

Exclusive: Meta tool to track employee mouse clicks on collision course with EU privacy rules

NEW YORK/AMSTERDAM, May 29 (Reuters) - Meta Platforms' (META.O), opens new tab plan to collect detailed records of U.S. employees' computer usage for training its AI models is more extensive than initially described and set to capture non-U.S. data in the process, according to internal documentation seen by Reuters. The documents introduce fresh complications for the project -- a key component of CEO Mark Zuckerberg's broader plan to transform how the company operates around AI agents -- that could draw Meta into a new European privacy fight, rights groups told Reuters. The Facebook and Instagram owner told staff last month it was launching the tool to capture how people use computers, including mouse movements, clicks and navigation through dropdown menus, in order to build AI agents that can perform everyday software tasks autonomously. The tool, called Model Capability Initiative, or MCI, is pulling in data from more than 200 apps and websites, according to a list Meta shared with staffers. The company said it would impact only U.S. employees and that safeguards were in place to protect sensitive information. In the weeks since its launch, however, Meta employees have complained that MCI was consuming so much data that it was causing their home internet usage to spike, in some cases using up an entire month's quota within days, according to internal posts seen by Reuters. Meta also acknowledged in a question-and-answer document provided to employees that the tool would capture the contents of any emails or direct messages sent to U.S. personnel, regardless of the sender's ⁠location. In a statement, Meta spokesperson Dave Arnold said MCI was installed only on U.S. employees' devices and that its focus was on how people interact with computers, not the content on their screens. "In the interest of transparency, we notified non-U.S. employees that it was deployed on the computers of U.S. colleagues they may email or chat with in the normal course of business," said Arnold. He confirmed the approximate number of apps and websites the tool is tracking, but declined to answer detailed questions about how much data it is ingesting and its legality. "We carefully considered and mitigated potential privacy risks in both the development and deployment of this tool, and we are committed to complying with applicable laws and regulations," he said. GDPR COMPLIANCE QUESTIONS EMERGE The findings could deepen Meta's regulatory troubles in the European Union, where tech companies are facing heated legal clashes over how they collect and deploy data. While U.S. workers have few protections against employer surveillance, companies operating under the EU's General Data Protection Regulation must have a legal basis for processing personal data, disclose what is collected and meet strict conditions for especially sensitive data like health information. In Meta's FAQ document on MCI, one entry addressed the tracking from the perspective of a non-U.S. employee: "I'm based outside the U.S. Will my conversations or data be captured if I'm communicating with a U.S.-based colleague who has the tool enabled?" The company's response: "If a U.S.-based colleague has the tool enabled while gchatting or emailing with someone outside the U.S., that activity would be captured." Meta also said in the FAQ that data collected by MCI would be "dissociated" from identifying employee information and ⁠therefore could not be looked up or deleted for individuals, a requirement in Europe. Kleanthi Sardeli, a legal expert at privacy advocacy group NOYB ("none of your business"), told Reuters that even limited or indirect capture of EU employee data could put Meta in violation of GDPR rules. Key sticking points could include whether the tool's collection of European data is considered "incidental" or counted as monitoring under the GDPR, and whether the initiative can pass a "purpose limitation" test, she added. "This data was originally collected for the purpose of work communication and fulfilling an employment contract. Taking an employee's chat and ingesting it into an AI model is incompatible with that initial purpose," said Sardeli. Meta told the Irish Data Protection Commission, its lead EU privacy regulator under GDPR, that neither EU employee data nor the recording of screen content "falls within the primary purpose of the tool," a DPC spokesperson told Reuters, ⁠without elaborating. Arnold, the Meta spokesperson, declined to comment on the company's exchanges with regulators. EMPLOYEE BACKLASH OVER DATA SCOPE The MCI project is part of a far-reaching restructuring at Meta aimed at handing large swaths of work over to AI agents, which has prompted an angry backlash among employees, who have likened Meta to an "Employee Data Extraction Factory." In an internal post, one employee shared findings of a detailed analysis of MCI log files performed with the aid of Anthropic's Claude, the type of AI tool Meta has been pushing staffers to incorporate into their workflows. According to the analysis -- replicated by others -- MCI was ⁠tacked on to the company's existing data security software, giving it access to additional details including employees' code changes, their computers' sleep and wake cycles, URLs visited and any clipboard content they copy and paste, which it then stored less securely in unencrypted form. Compiling that volume of data would make it possible to build "a complete behavioral model of how a knowledge worker does their job," the employee wrote. "Not 'an AI that clicks a dropdown for you' but 'an AI that knows which dropdown to click, what to select, which document to ⁠paste it into, and what to do next,'" she wrote. The employee's post later vanished, two other employees told Reuters. Arnold, the Meta spokesperson, called the post's conclusions "fundamentally inaccurate," but declined to address questions about its claims or say whether the company had removed it. Johnny Ryan, director of the Irish Council for Civil Liberties' Enforce unit, said the exchanges inside Meta reinforced why he considers it "essential" that the DPC investigate the initiative. "This situation, this case, is not limited to Meta employees. It relates to every employee in every sector where they could be replaced. Everybody cares about this if they understand what it is," he said. Reporting by Katie Paul in New York and Toby Sterling in Amsterdam; Editing by Kenneth Li and Matthew Lewis Our Standards: The Thomson Reuters Trust Principles., opens new tab

Meta's employee mouse tracking program could reportedly violate EU privacy laws - Engadget

'Reuters' says the tracking tool could capture emails and chats by non-US employees. Reuters says Meta's mouse tracking program for employees could run afoul of the EU's strict privacy rules. If you'll recall, the news organization reported back in April that the company will be capturing its US employees' keystrokes, mouse movements and clicks for the purpose of training its artificial intelligence models. Meta confirmed the program to Engadget, with a spokesperson telling us that the company is "launching an internal tool that will capture these kinds of inputs on certain applications" because it needs real examples of people completing everyday tasks on computers. Now, Reuters reports that the program may have a larger scope than what Meta had revealed and that it may capture non-US data in the process. The company has reportedly admitted in Q&A documents provided to employees that the tool called Model Capability Initiative (MCI) would capture the contents of emails or messages sent to or by its US personnel, no matter where the sender or recipient is from. "If a US-based colleague has the tool enabled while gchatting or emailing with someone outside the US, that activity would be captured," Meta wrote in the document. Meta spokesperson Dave Arnold told Reuters that the company notified non-US employees that the tool was deployed on the computers of the US colleagues they may email or chat with. Arnold also said that that company "carefully considered and mitigated potential privacy risks in both the development and deployment" of the tool, and that it's "committed to complying with applicable laws and regulations." A legal expert told Reuters, however, that even a limited capture of EU employee data "could put Meta in violation of the EU's General Data Protection Regulation (GDPR) rules." Under the GDPR, companies must have a legal basis for collecting personal data and must disclose what it's collecting. Reuters also says in its new report that MCI tracks data from over 200 apps and websites for Meta's program. Employees have reportedly been complaining to the company that the tool was using so much data that those with monthly quota have been seeing theirs consumed in just a few days. That's just one of their complaints against MCI. Meta's employees have been voicing out their disapproval for the program since it was launched, with some expressing concerns that they were helping train their eventual replacements. Some employees even distributed flyers, asking colleagues to sign a petition protesting the program.

Meta tool to track employee mouse clicks on collision course with EU privacy rules

Meta's AI training tool, Model Capability Initiative (MCI), is reportedly capturing extensive U.S. employee computer usage, including non-U.S. data from communications. This extensive data collection could lead to new European privacy violations under GDPR, as employees express concerns about the tool's scope and impact on their internet usage and sensitive information. Meta Platforms' plan to collect detailed records of U.S. employees' computer usage for training its AI models is more extensive than initially described and set to capture non-U.S. data in the process, according to internal documentation seen by Reuters. The documents introduce fresh complications for the project - a key component of CEO Mark Zuckerberg's broader plan to transform how the company operates around AI agents - that could draw Meta into a new European privacy fight, rights groups told Reuters. The Facebook and Instagram owner told staff last month it was launching the tool to capture how people use computers, including mouse movements, clicks and navigation through dropdown menus, in order to build AI agents that can perform everyday software tasks autonomously. The tool, called Model Capability Initiative, or MCI, is pulling in data from more than 200 apps and websites, according to a list Meta shared with staffers. The company said it would impact only U.S. employees and that safeguards were in place to protect sensitive information. In the weeks since its ⁠launch, however, ⁠Meta employees have complained that MCI was consuming so much data that it was causing their home internet usage to spike, in some cases using up an entire month's quota within days, according to internal posts seen by Reuters. Meta also acknowledged in a question-and-answer document provided to employees that the tool would capture the contents of any emails or direct messages sent to U.S. personnel, regardless of the sender's location. In a statement, Meta spokesperson Dave Arnold said MCI was installed only on U.S. employees' devices and that its focus was on how people interact with computers, not the content on their screens. "In the interest of transparency, we notified non-U.S. employees that it was deployed on the computers of U.S. colleagues they may email or chat with in the normal course of business," said Arnold. He confirmed the approximate number of apps and websites the tool is tracking, but declined to answer detailed questions about how much data it is ingesting and its legality. "We carefully considered and mitigated potential privacy risks in both the development and deployment of this tool, and we are committed to complying with applicable laws and regulations," he said. GDPR compliance questions emerge The findings could deepen Meta's regulatory troubles in the European Union, where tech companies are facing heated legal clashes over how they collect and deploy data. While U.S. workers have few protections against employer surveillance, companies operating under the EU's General Data Protection Regulation must have a legal basis for processing personal data, disclose what is collected and meet strict conditions for especially sensitive data like health information. In Meta's FAQ ⁠document on MCI, one entry addressed the tracking from the perspective of a non-U.S. employee: "I'm based outside the U.S. Will my conversations or data be captured if I'm communicating with a U.S.-based colleague who has the tool enabled?" The company's response: "If a U.S.-based colleague has the tool enabled while gchatting or emailing with someone outside the U.S., that activity would be captured." Meta also said in the FAQ that data collected by MCI would be "dissociated" from identifying employee information and therefore could not be looked up or deleted for individuals, a requirement in Europe. Kleanthi Sardeli, a legal expert at privacy advocacy group NOYB ("none of your business"), told Reuters that even limited or indirect capture of EU employee data could put Meta in violation of GDPR rules. Key sticking points could include whether the tool's collection of European data is considered "incidental" or counted as monitoring under the GDPR, and whether the initiative can pass a "purpose limitation" test, she added. "This data was originally collected for the purpose of work communication and fulfilling an employment contract. Taking an employee's chat and ingesting it into an AI model is incompatible with that initial purpose," said Sardeli. Meta told the Irish Data Protection Commission, its lead EU privacy regulator under GDPR, that neither EU employee data nor the recording of screen content "falls within the primary purpose of the tool," a DPC spokesperson told Reuters, without elaborating. Arnold, the Meta spokesperson, declined to comment on the company's exchanges with regulators. Employee backlash over data scope The MCI project is part of a far-reaching restructuring at Meta aimed at handing large swaths of work over to AI agents, which has prompted an angry backlash among employees, who have likened Meta to an "Employee Data Extraction Factory." In an ⁠internal post, one employee shared findings of a detailed analysis of MCI log files performed with the aid of Anthropic's Claude, the type of AI tool Meta has been pushing staffers to incorporate into their workflows. According to the analysis - replicated by others - MCI was tacked on to the company's existing data security software, giving it access to additional details including employees' code changes, their computers' sleep and wake cycles, URLs visited and any clipboard content they copy and paste, which it then stored less securely in unencrypted form. Compiling that volume of data would make it possible to build "a complete behavioral model of how a knowledge worker does their job," the employee wrote. "Not 'an AI that clicks a dropdown for you' but 'an AI that knows which dropdown to click, what to select, which document to paste it into, and what to do next,'" she wrote. The employee's post later vanished, two other employees told Reuters. Arnold, the Meta spokesperson, called the post's conclusions "fundamentally inaccurate," but declined to address questions about its claims or say whether the company had removed it. Johnny Ryan, director of the Irish Council for Civil Liberties' Enforce unit, said the exchanges inside Meta reinforced why he considers it "essential" that the DPC investigate the initiative. "This situation, this case, is not limited to Meta employees. It relates to every employee in every sector where they could be replaced. Everybody cares about this if they understand what it is," he said.