Everyone (who is a nerd) loves the XmlHTTPRequest. It's awesome is why. The web starts behaving like applications. Things work how they are supposed to, and mum and dad don't need to know anything about post-backs and submit buttons - "Submit? Submit to what?!"
For all its goodness, however, something smells a little funny about this holy grail of web communication... like beer and chocolate before it, there is an evil side to what - on the surface - seems pure and innocent.
The evilness lies primarily in its newness. A whole swag of newly trackable data, sent at any time, sent without the user's knowledge, without the (average) user even knowing it's possible. Every keystroke, every mouse move, every click, every pause, can now be captured and sent to the web server and there is nothing you can do about it.
Like every technology, of course, it can be used for good and it can be used for evil. The evil, I think, will mostly be in the form of user-profiling. User profiling previously could only be done on posted data - data that the user wanted the server to see. Now, the user will be constantly monitored - especially for things like the "delete" key, or checking then unchecking boxes. And so on.
Not convinced? Not ready to rise up and strip the XmlHTTPRequest code from your browser? Perhaps this mighty text adventure proof of concept will chill you to your core... "The Search For Fonzie's Treasure" - can you save Fonzie's soul from everlasting damnation?
Good luck, but remember... although it seeeems like harmless client-side interaction, every four moves an XmlHTTPRequest is sent to my server and your moves saved. FOREVER. Don't make a typo. I'll know. Don't try something stupid like "eat jukebox". I'll know.
Scared yet? Check out day one's Fonz Requests.