It's not just the NSA; any old coffee shop wifi operator could essentially bug your machine with Google analytics (even after you go home): http://paulgb.github.io/cachebeacon/
The HTTPS proposal might be expensive but it would prevent this. Every mainstream and beacon and CDNed JavaScript would have to be on board though.
> any old coffee shop wifi operator could essentially bug your machine with Google analytics
... also whenever people use all those CDN-hosted jquery and other popular JS libraries. Which is - unfortunately - also widespread practice these days.
The HTTPS proposal might be expensive but it would prevent this. Every mainstream and beacon and CDNed JavaScript would have to be on board though.