Meta has suspended an internal tracking system after a security failure exposed highly sensitive employee data. The company said the pause is temporary, but it has given no timeline for restoring the system.
The tool, launched in April, was designed to monitor workers and contractors in the United States by recording mouse movements, keyboard activity and occasional random screenshots. Unlike standard bossware used to measure productivity, Meta’s aim was to turn employee behavior into high-quality training data for AI models. Mark Zuckerberg defended the approach internally, saying models learn best when they “watch very smart people operate.”
The project became a SEV 2 incident, Meta’s second-highest severity level, after a serious permissions flaw in its database systems, which include about 45,000 tables, allowed employees unrestricted access to one another’s click and keystroke data. The exposed material reportedly included transcripts, private conversations, employee review data, and sensitive medical and financial information entered on personal computers. Meta said it had no indication the data was accessed by outsiders or misused internally.
The breach intensified anger inside the company. More than 1,600 employees had already signed an internal petition warning about privacy and security risks, as well as strain on computer resources, and the company had partly eased the monitoring by allowing pauses of up to 30 minutes. The episode also raises legal concerns in Europe, where experts say such a program would likely conflict with GDPR rules because employee consent is not fully free given the power imbalance between employer and worker.
