%20--%3e%3cdefs%3e%3cstyle%3e%20.st0%20{%20fill:%20%23061b40;%20}%20.st1%20{%20fill:%20%23306af1;%20}%20.st2%20{%20fill:%20%235ce5cf;%20}%20%3c/style%3e%3c/defs%3e%3cg%3e%3cpath%20class='st0'%20d='M55,10.5h9v3h-9v9h12V7.5h-12v3ZM64,19.5h-6v-3h6v3Z'/%3e%3cpolygon%20class='st0'%20points='69%2016.5%2078%2016.5%2078%2019.5%2069%2019.5%2069%2022.5%2081%2022.5%2081%2013.5%2072%2013.5%2072%2010.5%2081%2010.5%2081%207.5%2069%207.5%2069%2016.5'/%3e%3cpolygon%20class='st0'%20points='95%2010.5%2095%207.5%2083%207.5%2083%2022.5%2095%2022.5%2095%2019.5%2086%2019.5%2086%2016.5%2095%2016.5%2095%2013.5%2086%2013.5%2086%2010.5%2095%2010.5'/%3e%3cpath%20class='st0'%20d='M40,1.5v21h11.6l1.4-1.4v-7.6h0c0,0-1.4-1.5-1.4-1.5l1.4-1.4V2.9l-1.4-1.4h-11.6ZM50,19.5h-7v-6h7v6ZM50,10.5h-7v-6h7v6Z'/%3e%3c/g%3e%3cpath%20class='st1'%20d='M23.1,24L14.7,4.8l-4.9,11.2h3.8l-1.8,4H3.3L12.1,0H2C.9,0,0,.9,0,2v20c0,1.1.9,2,2,2h21.1Z'/%3e%3cpath%20class='st2'%20d='M34,0h-16.8l10.6,24h6.2c1.1,0,2-.9,2-2V2C36,.9,35.1,0,34,0ZM32.5,20h-4V4h4v16Z'/%3e%3c/svg%3e)
In April 2026, Meta quietly launched an internal project called "Model Capabilities Initiative" (MCI) at its US offices. The project trained AI systems to operate computer software like humans by recording employees' keyboard inputs, mouse movements, and screen shots. Meta executives' logic was simple: by observing how the best employees work, they could obtain the best AI training data.
45,000 pieces of data leaked, employee privacy "naked"
Yet, just two months later, the project backfired in a near-sarcastic way. Due to an access control configuration error, about 45,000 data tables containing employees' private data were exposed to anyone within the company who might find them. The leaked content not only included complete AI prompts but also private conversations, personnel performance data, and even individual employees' personal tax and medical information. A former employee described the incident as "a mess" and revealed that employees had long anticipated a leak, but the leadership ignored warnings about privacy and security.
From monitoring to replacement, employees become AI training "consumables"
Long before the security vulnerability was exposed, more than 1,600 Meta employees signed a petition demanding the stop of MCI. The core demands of the employees focused on privacy, security, and choice: no one wanted every keystroke they made to be recorded; storing such a large amount of sensitive behavioral data in a centralized manner was itself a huge leakage risk; moreover, when the project was launched, employees had no right to opt out. An employee wrote angrily on an internal forum: "We were told these data would be protected, but that's not true."
The timeline of the incident shows that the problem was first noticed by a Meta engineer on June 18th and reported. Stephane Kasriel, the AI research vice president, said the vulnerability was fixed within four hours, but the initial fix did not truly resolve the issue, and data access permissions were found to have gaps again. Kasriel announced the indefinite suspension of MCI on June 22nd and stated that it would be reactivated only when there was confidence in the effectiveness of data protection controls. He also hinted that the company had already "collected enough data to assess the long-term value of the tool," which means the project may face complete termination.
Legal risks also loom over Meta. Experts pointed out that the MCI project may violate the European GDPR regulations, especially when collecting employees' behavioral data without sufficient consent. In addition, Meta is still subject to a consent decree from the U.S. FTC that lasts until 2040. If the FTC determines that this security incident violates the terms, Meta will face new regulatory penalties. Analysts described Meta's data protection measures as "as thin as paper."
The MCI incident reveals a deeper issue: when the data needed for AI training comes from within the company, employees simultaneously become the "raw material" for training data and the "bearer" of privacy risks. For a company whose main business is collecting and monetizing user data, failing to protect its own employees' data security is more damaging to internal trust than any external privacy scandal. As AI agents are increasingly deployed in enterprises, employee behavior monitoring is becoming a rapidly growing gray area, and Meta's case has sounded a warning for the entire industry.