I guess this list is aimed at everybody: it can be implemented without breaking too many habits, and with minimal knowledge.
Having everyone use SSL is better than nothing (and provides some amount of herd immunity to those that need to hide their communication).
Two factor auth protects against a number of threat classes, such as the "local criminal" they mention. People might not care about the NSA, but there are plenty of other reasons to care about security.
Right before the list they state that these only provide incremential improvements.
The last step might lead people to prism-break at some point (eg. during crypto parties).
> I guess this list is aimed at everybody: it can be implemented without breaking too many habits, and with minimal knowledge.
That's kind of the problem here. The whole situation is in such an advanced stage and so pervasive and based on such "advanced" technology that we simply can not get out of it by keeping our silly little habits that we're so used to. (And yes, it includes shunning the NSA partner companies' products: Google, Microsoft, Skype, Apple, Facebook, Yahoo, Paltalk, etc.)
This situation requires drastic measures, on the individual/personal level as much as on the societal level.
I guess I'll take EFF's marketing approach over yours:
My impression is that the article is for people who would be overwhelmed with prism-break (and couldn't do _anything_ with that list of tools - prism-break.org isn't very actionable without prior knowledge).
If someone without ITsec experience comes up and asks what to do about that nasty NSA stuff they've read in the news, and you tell them to drop their operating system ("Google, Microsoft, Apple" includes Windows, OSX, iOS, Android, Windows Phone), the applications that run on top of them, and their Internet based communication (Skype and Facebook), they'll probably ask you where they could buy a box of index cards and post stamps, and how to build a hut in the forest. And then turn around and change nothing.
That list provides a way to reduce the attack surface - not particularily against the NSA (because of the backdoors), but certainly against the Firesheep instance running on the neighbor's laptop in the cafe.
It also raises awareness without overwhelming newcomers.
Let them lock down their in-flight communication. You can still tell them about endpoint security later (and why US based corporate silos are a problem in that regard), so they can "level up".
If that list isn't radical for you, you're probably not the target audience.
For now, please note that it doesn't end with "you're done. Congratulations, you're now secure!", but with crypto parties and other ways to raise awareness - those are great places to consider and implement more radical steps towards security. At least if people are around who can lend a hand.
They're also not recommending air-gapping or converting your home into a Faraday cage. Sarcasm aside, "switching operating systems" and "switching email providers" are not exactly "steps you can take right now" (for values of "you" that include the average computer user). Maybe they're being realistic and trying to give people some low-hanging fruit that they can do to significantly increase their security that require minimal intrusiveness into their daily life and minimal technical knowledge.
I kind of agree with you here. Especially if it's tied to your identification personally. If you have an X@gmail.com or Y@yahoo.com then you're essentially at their mercy. But if you just buy a domain for 10 bucks a year, you can go to your registrar's page and forward mails from catchalls @FNLN.com to your secret X@gmail.com. If you don't like them, download it to outlook and move on to Y@yahoo.com and change the setting at your host record page. That is literally it. Your cost here to switch is the time it takes to download messages to your computer and close the account, sign up for a new account and redirect your alias to the new account. I would ideally automate step 1 as soon as I have opened an account.
You are not 'locked-in' to one provider as your custom domain name becomes an abstraction between your identity to the real world and your storage space/identity to servers. You can change the latter without changing the former. Of course, if you were early enough you could've snagged a Google Apps account, or if you're just entering the scene, you can get a Live Domains account. The only down side is that they don't have catch-alls, so you can have an on the fly email address like hn@FNLN.com for signing up at different websites.
"I am surprised that the EFF is recommending two factor auth instead of avoiding Google..."
Yes, I was surprised by this too. Giving away your mobile phone number is not something I'd consider doing lightly. What's more, Google have a poor record on privacy matters.
If you provide your phone number to Google, who has access to this info at the company? Is your phone number encrypted so that no-one sees it at Google? i.e is it only accessed by automated computer systems? Do they have strict procedures in place that allow access to authorised staff under particular circumstances only? Do they tie your number to other tracking info? (Of course, Google would never reveal this, but it wouldn't surprise me if they did).
I think these are perfectly legitimate questions to ask when a company stores your personal information. And particularly for a company that has greater oversight of online activity than anyone else. We don't know the answers to any of these questions, because Google's vaguely-worded privacy statements tell you nothing. (The help text when signing up to a Gmail account simply states "your phone helps with keeping your account secure...")
You might feel you can trust Google on matters of security, but can you trust them on matters of privacy?
The use of 2FA is clearly irrelevant to the issue of NSA internet surveillance. If the traffic is encrypted (and they can't decrypt it), then the authentication mechanism is irrelevant. If the data is stored in the US, they have access to it via Lawful Intercept capabilities, and therefore the authentication mechanism is irrelevant.
Of course, one should use 2FA whenever available, but it has nothing to do with avoiding surveillance. Indeed, it creates a stronger link between an account and an identity, i.e. anonymous twitter account + 2FA w/ mobile phone number == not anonymous.