I love this framing. Perfection is both unattainable and daunting, but there's a ton of low-hanging fruit for people who just want to be doing better than their current setup.
It all depends on your adversary. If it's the spooks, you're probably not going to attain it. If it's all other downstream, especially commercial, consumers of your data, the solution is simple: throw away your phone, get a linux laptop, don't expose your IP address, don't log in anywhere. Done.
If you do want to have a phone, the learning curve is a vertical zero-to-hero cliff.
I'd say yes, it's bottom line trivial, unfortunately.
There's absolutely good advice in there, but it's insufficient, because data obtained from brokers is correlated. There is as far as I know not a single phone browser that is capable of withstanding fingerprinting - only desktop tor browser with javascript off at the moment. So you visit 2 sites on the same hardware, these can be correlated.
Note that (a) websites are not designed to protect you and (b) they can easily fingerprint and log. As does cloudflare, which 90% or so of popular websites use.
And, it's worse, because all these phones keep identifying data (Google account / Apple ID) and do naughty stuff so unless you fully degoogle an AOSP phone (don't run an iPhone without logging in - no iOS updates) you hang on a thread of "them not getting hacked".
But, there is a benefit to be had by following this guide if you are starting with this: you will gradually drop off the radar rather than at once, and this will prevent you being flagged by big guys with big guns. So it helps with your profile to take it one step at a time.
The problem is that people will think themselves secure while they've just done the first step of a process that never ends, and in that case it may be better to just do what you want and not worry about it, while knowing you're not anon.
GrapheneOS is pretty easy to install and use, and it provides very good privacy even if you use Google apps - they're sandboxed. So unless I'm missing out on something, mobile privacy isn't as challenging as you make it out to be...
Security (and with it, privacy because you can't have the latter without the former) always comes at the loss of functionality and the introduction of friction... it's a tradeoff.
If you want a minimalist privacy setup, here is the order of priority (low-hanging fruit with the highest impact) to fix first:
DNS: Switch your ISP DNS to an encrypted, privacy-respecting DNS resolver (like Quad9, Mullvad DNS, or NextDNS) using DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT). This blocks ISPs from harvesting your raw browsing logs.
Browser: Move away from Chrome. Use Firefox (manually hardened or with Arkenfox user.js) or Brave. Install uBlock Origin and run it in Medium Mode to block third-party scripts and ads.
Passkeys/Password Manager: Start using a self-custodial manager like Bitwarden or KeepassXC. Creating complex, unique passwords for every single account is a massive upgrade to both security and privacy.
Email Aliasing: Mask your real email using simple services like SimpleLogin or Proton Pass when signing up for websites. This prevents data breaches from linking back to your real identity.
Operating System: If switching to Linux isn't viable yet, use a tool to disable Windows telemetry, or set up a secure mobile environment using GrapheneOS on a Google Pixel device.
I love this framing. Perfection is both unattainable and daunting, but there's a ton of low-hanging fruit for people who just want to be doing better than their current setup.
It all depends on your adversary. If it's the spooks, you're probably not going to attain it. If it's all other downstream, especially commercial, consumers of your data, the solution is simple: throw away your phone, get a linux laptop, don't expose your IP address, don't log in anywhere. Done.
If you do want to have a phone, the learning curve is a vertical zero-to-hero cliff.
Do you think these marginal improvements have trivial payoff, then?
I'd say yes, it's bottom line trivial, unfortunately.
There's absolutely good advice in there, but it's insufficient, because data obtained from brokers is correlated. There is as far as I know not a single phone browser that is capable of withstanding fingerprinting - only desktop tor browser with javascript off at the moment. So you visit 2 sites on the same hardware, these can be correlated.
Note that (a) websites are not designed to protect you and (b) they can easily fingerprint and log. As does cloudflare, which 90% or so of popular websites use.
And, it's worse, because all these phones keep identifying data (Google account / Apple ID) and do naughty stuff so unless you fully degoogle an AOSP phone (don't run an iPhone without logging in - no iOS updates) you hang on a thread of "them not getting hacked".
But, there is a benefit to be had by following this guide if you are starting with this: you will gradually drop off the radar rather than at once, and this will prevent you being flagged by big guys with big guns. So it helps with your profile to take it one step at a time.
The problem is that people will think themselves secure while they've just done the first step of a process that never ends, and in that case it may be better to just do what you want and not worry about it, while knowing you're not anon.
GrapheneOS is pretty easy to install and use, and it provides very good privacy even if you use Google apps - they're sandboxed. So unless I'm missing out on something, mobile privacy isn't as challenging as you make it out to be...
I feel like the rich man to whom Jesus said "give up everything you have and follow me"
I can do Linux and a dumb phone and for or VPN, but I don't know how I'd live life if I didn't want to log in anywhere.
Security (and with it, privacy because you can't have the latter without the former) always comes at the loss of functionality and the introduction of friction... it's a tradeoff.
The hardest part is to not have email.
If you want a minimalist privacy setup, here is the order of priority (low-hanging fruit with the highest impact) to fix first: