The contents of this post comes as no surprise to technical people, yet even techies do not always think of the fact that whenever you are typing something in a text field on a web page, every keystroke can be sent in real-time to the server or 3rd-party servers without your knowledge.
And also that, when you have auto-filled form fields switched on in your browser, that the form you submit to the server may contain form data that you not filled in, and are not even meant to be sent. You typed them in earlier in a different context (the fields that are auto-filled are hidden to you). Note: A demo of this is added to awesome-humane-tech list.
The reason is that your browser supports Javascript, and the website can easily put in scripts that contain a keylogger.
Caution: There is no guarantee that data is only sent to the server when you press the ‘Submit’ button!
I got a reminder of this from this article I found discussed on Hacker News:
It goes further than just customer service agents, and applies to anything you type on a web page. When looking in real-time to your typing a lot of things can be deduced about you personally: your typing speed, number of erros, but - more importantly - things you correct (your first angry response in a support form) or edit because it contains sensitive information (the log file you are asked to provide, which contains a password).
Here is the Hacker News discussion with a lot of interesting stuff in it (like orders that were placed, but the order form was never submitted, only filled in): https://news.ycombinator.com/item?id=18983036
(PS. Also note that when you are on hold in a support call by phone, the operator can often still hear you)