Hi, Daniel –
It’s nuanced. When I see someone saying that they routinely operate digitally with their privacy shields always cranked up to 11, I think to myself, “This is a person who hasn’t done their threat modeling yet”. Or at least, hasn’t conducted an honest one.
I’m safe to assume everyone in this conversation, and many more reading these words, knows how to crank up their privacy shields to the max. Our max can be high. But the thing is, operating at this level is exhausting. Exhaustion leads to fatigue. Fatigue leads to mistakes. Mistakes make you vulnerable.
I think it’s foolish to always think your adversary is the FSB or other well-equipped TLA. I think if you silo properly, and contextually choose what level of effort and resources that silo is worth, you’ll expend the correct, sustainable level of energy that silo deserves. If it’s sharing cat photos (EXIF data stripped, naturally!) and helping people learn interesting ways to protect themselves online, then, yeah, a “6” or so is fine. Our 6 is probably a neophyte’s 9, FWIW.
So context – and threat modeling – is always the first, most crucial step. At least for me.
And for somebody who’s primarily concerned with avoiding corporate surveillance and wanting civilian-grade privacy levels, will I recommend Signal? Absolutely. But if I suspect that they won’t follow through, is iMessage better than FB Messenger, in spite of them both technically having E2EE? Absolutely. So, given that context, a closed-source solution works better than a (optimum) FLOSS solution: it provides a workable profile fitting their threat profile that they’ll actually use. That’s important.
I’d also advise them not to rely on iCloud backups, and instead back up locally, on their computer using an encrypted hard drive. Baby steps, into a warm bath. See? Privacy isn’t hard, it’s… Soothing!
But I can see your point too. For smaller, human-scale projects, FLOSS is better. It’s not a guarantee (HEARTBLEED, anyone?), but it’s solid advice. But I’d rather advise someone to go for a solution that I am 99% certain they’ll follow, then give them advice that requires too much effort given their situation, and have them later say to themselves, “Privacy is too hard – back to FB Messenger I go!”
But it all starts with threat modeling. Context is important, as is knowing your audience.
FWIW, I love starting neophytes into beginning the journey to becoming more privacy-minded people. Going straight to Tor, TAILS or QubesOS purism is a great way to ensure those first steps don’t happen.