And it's so easy. At a past company we once decided we'd test some assumptions about one of our forms by capturing keyboard events. As in, we added a handler for keypresses that'd call back to the server, so we could capture and play back exactly how users interacted with the form.

It provided some useful insights (one thing that surprised me was how bad people were at recognising and operating drop downs), but we very quickly (we got the idea, pushed it out, started looking at data, decided to stop doing it within a day) recognised that we'd been too quick to jump at the "cool, we can do this" factor and that even though it was beneficial, it was way too invasive.

E.g. while we might think that "it doesn't matter, it's a form on our page so we'll see the data anyway", of course that wasn't true when we actually thought about it:

The keyboard events meant that e.g. if a user cut and pasted something by accident, we'd see it, and that might include things like passwords from other sites. Or they might write something, change their mind and enter something else; explicitly withholding the original information from us. We didn't capture anything particularly private in the short amount of time it was live, but we saw enough changes (e.g. people changing contact phone numbers) that we thankfully recognised the problem before it became a real problem.