While digging through an Angolan dissident's MacBook last week, security researcher Jacob Appelbaum uncovered a new strain of spyware.
Its purpose? To capture screenshots and beam them back to servers based in France, the Netherlands, and elsewhere.
"They can intercept text messages, and even worse, they can triangulate your position very accurately," said Nasser Weddady, director of civil rights
outreach for the American Islamic Congress. "They can remotely turn your smartphone into a microphone."
This phenomenon isn't new, as protesters taking part in the Arab Spring protests discovered the hard way, but the frequency and cleverness of the attacks
are on the rise. In March of 2011, one activist raided the
headquarters of Egypt's state security agency and found online call files describing his own love life and trips to the beach. In 2012, an Internet-freedom
report from the advocacy group Freedom House found that in 12 of 37 countries, state cyber attacks against regime critics were "intensifying."
A spyware tool called FinSpy, made by the British company Gamma Group, can
clandestinely turn on Web cams
and read documents as they're being typed. It has been linked to servers in more than two dozen countries, including Bahrain, where an active uprising
continues to simmer. (At times, the software has even masqueraded as the
browser Firefox, which prompted an angry rebuke from the Mozilla Foundation.)
A number of Western companies manufacture the technology these
governments use for online monitoring, but most of the manufacturers claim to have no control over how foreign agents use their software. Reporters Without
Borders went so far as to write to Skype in January and ask for better
transparency about the security of Skype calls.
But as activists have become increasingly aware of such Internet strikes, they've also become savvier about the information trails they leave in the
"The states we live under have an incredibly unparalleled access to a level of data," O'Brien said at a recent talk in Oslo. "On the standard Internet,
they know who you're speaking to. On the mobile internet, they know who you are. With mobile devices as they're currently designed, we have no idea what
kinds of hardware or software are being installed."
Activists have fought back using the basic protections: stronger passwords, two-step verification, and security questions with wrong answers to fool the
more familiar (or Wikipedia-reading) hackers, O'Brien said.
Then there are hard drives, which must be encrypted so they can't be read even if the bad guys get hold of a computer or mobile device. Without encryption,
sensitive evidence can be easily compromised.
"One documentary filmmaking group that was in Syria was filming a lot of activists in that civil war," O'Brien explained. "As they left the country, the
computer was taken, and that content was seized, and it revealed everything -- all those peoples' activities. "