Meta’s keystroke-tracking tool for AI: what privacy-conscious workers should know

Not long ago, Meta built an internal tool that monitored employee mouse clicks and keystrokes to train its AI models. After employees raised concerns and European regulators took notice, the company scaled the program back. The episode is a useful example of the tension companies face between collecting data to improve AI and respecting the privacy of the people who generate that data.

It also serves as a reminder for anyone who works at a company that uses employee data for AI: your behaviour at the keyboard might not be as private as you think.

What happened

According to reports from TechTarget and Global Banking & Finance Review, Meta deployed an internal system that tracked how employees moved their mice, clicked, and typed. The goal was to capture real-world interaction patterns and use them to train AI models — presumably to make Meta’s products better at predicting or responding to user behaviour.

The tool was reportedly used inside Meta’s own workforce. Employees were not given a clear choice about participating, and some raised objections. The situation escalated when privacy regulators in the European Union began asking questions. In response, Meta scaled back the tracking, though it is not entirely clear whether the program was completely abandoned or just narrowed.

What is clear: the company’s initial approach did not include meaningful consent from the people being monitored.

Why it matters

This story is not only about Meta. It is part of a broader pattern: companies across the tech industry are hungry for large, realistic datasets to train AI. Employee behaviour — every click, pause, and typo — is a rich source of that data. The problem is that monitoring people at this granular level raises several issues.

First, consent. Even if a company’s policy says “we may monitor usage,” that is not the same as informed, voluntary permission. Employees often have little choice but to agree if they want to keep their jobs. Second, scope. Keystroke and mouse data can reveal a lot: how fast you work, when you hesitate, what you delete, even personal passwords or sensitive messages that happen to be typed during work hours. Third, purpose. Using that data for AI training is different from using it for security or performance monitoring. The data may end up influencing products that affect people outside the company.

The EU’s interest is understandable. Under the General Data Protection Regulation (GDPR), any collection of personal data — and behavioural data like keystrokes likely counts — must have a lawful basis. Consent is one basis, but it must be freely given. When your boss asks you to be monitored, “freely given” becomes questionable.

What readers can do

If you are an employee and you are worried about similar practices at your own workplace, here are a few concrete steps you can take.

Read your company’s acceptable use policy. Many employers disclose monitoring in their IT policies. Look for language about “AI training,” “machine learning,” “behavioural data,” or “quality improvement.” If the policy is vague or buried, that is itself a red flag.

Ask your IT or HR department directly. A simple, non-accusatory question can be effective: “Does the company use any of my keylogging, mouse-tracking, or productivity data to train AI models?” If they say yes, follow up about whether the data is anonymised and what the legal basis is.

Use separate devices for personal tasks. Assume that anything you do on a company-issued computer or network could be logged. Keep personal browsing, banking, and messaging on your own phone or a personal laptop that is not connected to the corporate network.

Look for notification banners or consent popups. Some companies are required to show a notice before monitoring begins. If you see one, read it carefully before clicking “accept.” If you do not see one, that does not mean monitoring is not happening.

Advocate for transparency. If you are in a position to raise concerns — through a works council, union, or employee resource group — push for a policy that requires opt-in consent for any AI training use of personal behavioural data. Some companies have begun to adopt such policies voluntarily, especially in Europe.

Keep an eye on regulatory developments. The EU is actively scrutinising AI training data practices. Updates from data protection authorities can signal which practices are becoming unacceptable. Following news from sources like the European Data Protection Board (EDPB) can help you stay informed.

A note on what we know and what we don’t

Most of the reporting on Meta’s tool comes from secondary sources, and Meta has not disclosed full details of what was collected, how it was processed, or how much of the program remains. The company’s decision to scale back was likely driven by both employee sentiment and regulatory risk. It is not clear whether the data already collected was deleted or retained.

What is clear is that the approach Meta took — collecting fine-grained behavioural data from employees without meaningful consent — is not unique. Other companies are likely exploring similar methods. The best defence, for now, is awareness and advocacy.

Sources: TechTarget, “Meta’s AI training with keystrokes: Progress or privacy issue”; Global Banking & Finance Review, “Meta Scales Back AI Mouse Clicks Tool Amid Employee Concerns” and “Meta Tool to Track Employee Mouse Clicks Raises EU Privacy Concerns.”