You’ve probably seen this popular feature on various search engines: As you enter your search criteria a drop-down list of suggestions appears. The way this works is that the page has a bit of javascript in it that makes AJAX calls back to the search server every time the text in the search box changes.
Now what about applying that to textarea fields such as those used to enter the body of your message on a forum? Only there’s no user-feedback. The characters you type are simply stored into the database along with your post. An admin could then replay your message entry, including the bits where you went back and deleted or corrected bits of your post before finally submitting it. Let’s say you make some comments or share some feelings that, before you hit the submit button, you think better of and delete. But they’re not deleted. Not anymore. They’ve been saved. Content you never intended to share is now in the wild.
What if we take this to its logical conclusion: a keylogger embedded in your web site. Maybe you start typing in the credentials for your e-mail account by accident, delete them, and type in your forum credentials before finally hitting submit. Or maybe you lose track of which window on your desktop has focus and you start to type your password for your e-mail account into a web page that doesn’t even have a single text input field?
And all of this would be sent in plaintext from your computer to the web server, allowing anyone inbetween to see this as well.
Is there a line here? Is it being crossed? Do you think it’d be okay to grab the data from, say, a person as they were creating their forum post, but maybe the wholesale keylogger is wrong? I wonder what the legal implications are here. Can you really have a reasonable expectation of privacy if you’re creating content that would be publicly available on the internet?
I would suspect infrequently visited sites wouldn’t get much out of such a system to begin with. But imagine a forum that might have 1,000+ users hitting the site weekly. I bet they’d get some “interesting” stuff every so often.
Which is why the paranoid among us will want to at least find a plug-in for their web browser to disable javascript on untrusted web sites, if not disabling it entirely.