A Privacy Ethicist Opts Out
Prepared Remarks for the Penn State Faculty Affairs Advisory Council on the Occasion of my COVID Mandate Noncompliance
To comply with policy AD101, I not only need to relinquish my right to privacy, bodily integrity, and medical autonomy, but I must also forsake my academic freedom, and privilege policy compliance over professional conduct with respect to privacy ethics. I may accessorize my golden handcuffs with a silken gag.
Penn State University has placed me on leave for noncompliance with university policy AD101 COVID-191, which may result in termination. This statement challenges the claim that my noncompliance renders me a unique threat to public health, and unable to perform my professional duties, including library research instruction and consultation. It further contextualizes my noncompliance in light of AC64 Academic Freedom and AD88 Code of Responsible Conduct, my teaching and scholarship, and the ethics of my discipline.2
AD101 COVID-19 and Public Health
Penn State University policy AD101 COVID-19 seeks to mitigate the transmission of the airborne SARS-COV-2, which causes the disease COVID-19, on Penn State Campuses and in our local communities.3 It does so by compelling employees to undergo medical procedures not of their own choosing, performed by healthcare providers not of their own choosing, and to share personal medical information with their employer and other third parties not of their own choosing. External to the policy is any consideration of personal health measures an employee will undertake in consultation with their own healthcare provider. Such health measures, freely chosen and practiced by the employee, do not satisfy AD101 COVID-19.
I have met with unit, departmental, and college-level administration regarding policy AD101 COVID-19. At no time did I engage in a clinical consultation with a Penn State University representative, and at no time were relevant medical credentials of those I met with presented to me. When asked about my plans to comply with the policy, I stated that I am following COVID-19 prevention and monitoring protocols developed in consultation with my family doctor. Indeed, I was blessed to bring a pregnancy to term from December 2020 to September 2021 when my daughter was born. During my pregnancy, I had more contact with the healthcare system than at any other point in my life. The personal healthcare practices we put in place kept me healthy, my family healthy, and by extension, my students, colleagues, and other contacts healthy. My students and colleagues are at no greater health risk in their interactions with me than in their interactions with anyone who is compliant with policy AD101 COVID-19. Public health is an emergent phenomena of personal health, and personal health is best achieved through informed consent, free choice in healthcare providers, and doctor-patient confidentiality.
Ability to Perform Professional Duties
Due to noncompliance with AD101 COVID-19, I have been deemed unable to perform my professional duties, including library research instruction and consultation. This claim is false and unbecoming an academic institution whose purpose is to pursue truth. Throughout the policy development of AD101 COVID-19, I have never consented to undergo COVID-19 testing under the terms dictated by the University, and never consented to share my vaccination status; in other words, I’ve been noncompliant as long as these requirements have stood.
In that same time period, I’ve expanded my research instruction portfolio and increased my availability for research consultations. I led a project to pilot a new instructional technology platform, which was subsequently licensed by University Libraries and adopted by more than fifty of my colleagues to develop upwards of a hundred technology-enhanced learning experiences for both in-person and online instruction. On this platform, I developed two virtual escape rooms to gamify research instruction in entrepreneurship and engineering, resulting in two publications (one invited and in press) on these instructional innovations.4
With a colleague, I was recognized by our disciplinary association, the Association of College and Research Libraries (ACRL), with a prestigious national innovation award for learning design and research in privacy literacy.5 I led the creation and hiring of a research graduate assistantship in privacy literacy currently underway, and am lead editor of a forthcoming volume on privacy literacy under contract with the premier publisher in academic librarianship. Also during this period, I authored or co-authored dozens of scholarly publications and presentations on topics including privacy literacy, intellectual freedom and the epistemic crisis, escape room pedagogy, and high-stakes experiential learning. Finally, my service commitments during this time included chairing the American Library Association Intellectual Freedom Round Table’s Education Advisory Special Committee and more than two years as a contributor to the ALA’s Intellectual Freedom Blog,6 as well as co-founding and -moderating the HxLibraries community of Heterodox Academy, among other efforts.
Let’s return to the topic of library research instruction and consultation, since these are the primary duties of my role as an instruction and reference librarian. Let me emphasize that I have delivered, and am willing to continue to deliver, in-person research instruction and consultation during this period. I have also developed and delivered a broad repertoire of highly effective and engaging original digital learning objects designed for both remote synchronous and asynchronous research instruction, many using the instruction platform I piloted for University Libraries. Using these materials, I continued to teach synchronously and asynchronously online throughout my maternity and parental leave in fall 2021. Likewise, I have conducted hundreds of research consultations online.
There are three systems in which I record research instruction and consultation activities: the University’s faculty activity reporting system, Digital Measures/Watermark; University Libraries’ transactional reporting system, Desk Tracker; and in a shared Google Sheet for my campus library. All three locations provide official mechanisms for recording online or remote synchronous and asynchronous instruction. The University, and University Libraries, officially recognize remote and synchronous instruction as legitimate teaching and learning modalities for someone in my role. Again, I am willing and able to deliver in-person instruction - but should the University deem my presence on campus a unique public health threat, my ability to deliver online synchronous and asynchronous instruction could satisfy my research instruction responsibilities. To suggest that I am unable to perform my duties is unsupported by the available evidence, is false, and undermines the truth-seeking telos of the university.
Mandates, Privacy Literacy, and the Ethics of Librarianship
Privacy is about respect for persons, not just protection for data.
Finally, I want to demonstrate how compliance with AD101 COVID-19 and related guidance conflicts with my subject matter expertise and disciplinary ethics on privacy, compromising my responsible conduct and infringing my academic freedom.
When most people consider privacy, they think of data privacy - keeping sensitive information secure and confidential. Data privacy is satisfied by sound data governance practices, data minimization, data lifecycle management, secure storage and encrypted transmission, appropriate data integrity checks and access controls, regulatory compliance, and so on. There is another dimension of privacy which many people intuit but find harder to articulate - this is autonomy privacy, the ability to be free from unwanted monitoring and intrusion.7 Garrett Keizer describes autonomy privacy as “resistance to being used against one’s will.”8 Autonomy privacy is achieved through choice and what Helen Nissenbaum calls contextual integrity: the ability to determine that the right people know the right things about you at the right time.9
AD101 COVID-19 puts both data privacy and autonomy privacy at risk. Already we have seen mass email notification to employees advising that those on leave need not comply with mandatory surveillance testing,10 suggesting a data integrity problem with managing pools of employees who are and are not covered by the policy. Similarly, we know that students were erroneously locked out of the learning management system due to a coding error in the algorithm meant to exclude non-compliant students from accessing Canvas,11 again indicating a data or code integrity issue that allowed instructors and classmates to make inferences, possibly incorrectly, about students’ vaccination or testing status.
My compliance with AD101 COVID-19 would require sharing health data with at least five primary entities - Vault Health, Zoom, Amazon Web Services, Salesforce Cloud, and Penn State University - under terms of service which I have not been able to review, but which likely include numerous named and unnamed third party service providers. No data service or cloud storage provider can reasonably guarantee the security or confidentiality of data in their systems in perpetuity, and it is not clear what restrictions are in place to prevent downstream, secondary use of this data.12 The original randomized surveillance testing program required participants to consent to the University sharing their testing data with any third party, “without limitation,”13 placing no restrictions on secondary use. This is a total abdication of data privacy.
More fundamentally, the University’s intrusion into personal health matters entirely negates autonomy privacy. Autonomy privacy harms can be harder to detect - which is precisely why my collaborator and I proposed the Six Private I’s conceptual framework to visualize the positive case for privacy in the human experience.14 Synthesizing extensive multidisciplinary literature, Six Private I’s conveys six primary zones of informational agency that privacy protects: identity (fundamental aspects of selfhood), intellect (thoughts, beliefs, expressions, and decisions), bodily and contextual integrity (bodily and medical autonomy and control over access to personal information), intimacy (ability to have close intimate and confidential relationships), interaction (freedom of association) and isolation (ability to voluntary withdraw into solitude).
AD101 COVID-19 impinges on all six privacy zones:
Identity Policy noncompliance casts me as the kind of person who would willingly put the health and safety of her community at risk. I am not. I am the kind of person who seeks and follows the guidance of a qualified clinician.
Intellect AD101 COVID-19 commits what Daniel Solove terms decisional interference15 by coercing submission to medical procedures, and compelling the disclosure of their resulting medical records.
Bodily integrity AD101 COVID-19 requires employees to provide biological samples and/or receive biologics into their bodies.
Contextual integrity By requiring medical procedures and compelling medical information disclosure, AD101 COVID-19 violates contextual integrity,16 rendering the University, as an employer, both clinician and medical decision-maker on behalf of employees. This context collapse violates employees’ ability to have separate and distinct professional and clinical relationships, and creates vast information asymmetries favoring the employer.
Intimacy AD101 COVID-19 intrudes on doctor-patient confidentiality and the clinician’s duty of care for her patient. The policy further intrudes on the family as a unit of medical decision-making.
Interaction AD101 COVID-19 policy requires employees to submit to healthcare providers not of their choosing, and to discuss personal health matters with their superiors.
Isolation AD101 COVID-19 and associated guidance compels employees to participate in employer-sanctioned meetings to discuss personal health matters.
A recent preprint17 advances the understanding of privacy from the complementary direction - by classifying privacy harms rather than its benefits. The eleven explicated categories of data misuse include: generating coercive incentives, compliance monitoring (including workplace surveillance), assessment and discrimination, contacting the data subject, and reacting strategically to actions or plans of the data subject. Each of these data misuses is evident in enforcement of AD101 COVID-19.
Both Six Private I’s and the Classification of Personal Data Misuses advance a common theme: privacy is about respect for persons, not just protection of data. Privacy theorists Anita Allen,18 Julie E. Cohen,19 and Alan Westin,20 among others, observe a cultural decline in the value of privacy. They warn that the erosion of privacy norms prepares the way for increased interference in the day-to-day lives of individuals and communities by profiteers and governments, leading to corporatism, fascism, and totalitarianism. In The Age of Surveillance Capitalism, Shoshana Zuboff articulates the cycle of “digital dispossession,”21 by which surveillance capitalists intrude into ever more intimate spaces of daily life to capture behavioral data that enables them to reduce the cost of risk and maximize the profit of the powers of prediction and manipulation. She explains that habituation, whereby “new contested practices become more firmly established as institutional facts,”22 is a key phase of the cycle of dispossession. Zuboff further claims that the workplace plays a central role in habituating people to the increasing encroachment of surveillance and control, describing work as “the gold standard of habituation contexts, where invasive technologies are normalized among captive populations of employees.”23 Veronica Barassi describes a broader phenomenon of “systemic coercion of digital participation,”24 by which people have no meaningful choice between preserving their privacy and gaining access to the basic necessities of life, including education, healthcare, and employment.
As institutions, libraries are a bulwark against the encroachment of surveillance and for the advancement of privacy culture. The American Library Association’s Professional Code of Ethics includes article III, “We protect each library user's right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.”25 ALA’s Library Bill of Rights extends this work further, calling on libraries to “advocate for, educate about, and protect people’s privacy.”26 In its Interpretations of the Library Bill of Rights, ALA “affirms that rights of privacy are necessary for intellectual freedom and are fundamental to the ethical practice of librarianship,” stating that “Privacy is the foundation upon which our libraries were built and the reason libraries are such a trusted part of every community.”27 A December 2021 article in the Canadian Journal of Academic Librarianship calls on library workers to resist “crisis surveillance capitalism.”28 My own contributions to the understanding and practice of privacy literacy were cited in the Association of College and Research Libraries’ 2021 Environmental Scan on the emergence of privacy literacy.29
A librarian and subject matter expert in privacy offers a perspective on COVID-19 mandates that should be valued in the ongoing debate about their ethics and implications. Indeed, certain aspects of Penn State University’s policy on academic freedom, AC64,30 and Code of Responsible Conduct, AD88,31 encourage such engagement. AC64 ensures my right to speak and write as a citizen on matters of public concern, free from institutional censorship or discipline - a right that I exercised as University sanctions against me unfolded.32 AD88 requires me to uphold academic freedom and freedom of speech, and to abide by the professional code of ethics applicable to my work. However, the Guidance on Instructor, Researcher, and Faculty Member Violations of Penn State’s Requirements and Expectations to Reduce the Risk of COVID-19 modify both academic freedom and responsible conduct policies. The Guidance forbids faculty members from “encouraging others not to follow university guidance.”33 Privacy advocacy and privacy literacy instruction in conflict with AD101 could easily be construed as “encouraging others not to follow university guidance.” Further, AD88 requires employees to “follow all applicable University policies and procedures,” creating a conflict between policy compliance and professional conduct. As it stands, the University could enact a wholly unethical policy and then terminate employees for noncompliance or even speaking out against it. To comply with AD101, I not only need to relinquish my right to privacy, bodily integrity, and medical autonomy, but I must also forsake my academic freedom, and privilege policy compliance over professional conduct with respect to privacy ethics. I may accessorize my golden handcuffs with a silken gag.
When noncompliance protocols were initiated against me, I was officially advised to resign my position rather than face disciplinary procedures, as if my noncompliance should be a source of shame. But Shoshana Zuboff calls on us all to “be the friction”34 in the surveillance capitalist machine by simply opting out, and the most fundamental form of advocacy against unethical dictates is noncompliance. I will never be ashamed of my privacy advocacy. An employer who alters an employment contract to compel medical procedures and disclosure of private health information replaces consent with coercion. The choice between privacy and public safety is, and has ever been, a false one. There are myriad ways in which the loss of privacy, and the diminishment of privacy culture, makes us all less safe. Penn State University should recognize the capability of its employees, and students, to make sound medical decisions in confidential consultation with their chosen healthcare providers - the approach recently adopted by Virginia Tech.35 The University could be a leader in upholding essential privacy interests while maintaining public health.
Penn State University, “AD101 COVID-19,” first published August 24, 2020, https://policy.psu.edu/policies/ad101
“AD101 COVID-19,” https://policy.psu.edu/policies/ad101; Penn State Faculty Affairs, “Guidance on Instructor, Researcher, and Faculty Member Violations of Penn State’s Requirements and Expectations to Reduce the Risk of COVID-19,” first published August 17, 2021, https://sites.psu.edu/academicaffairs/files/2021/08/Guidance-on-Instructor-Researcher-Violation-of-PSU-COVID-19-policies-8.17.21.pdf; Penn State University, “AC64 Academic Freedom,” https://policies.psu.edu/policies/ac64; Penn State University, “AD88 COde of Responsible Conduct,” https://policies.psu.edu/policies/ad88.
Sarah Hartman-Caverly, “Engineering Achievements of Berks County,” https://psu.libwizard.com/f/BerksENGRAchievements; Sarah Hartman-Caverly, “Exfiltration!”, https://psu.libwizard.com/f/ExfiltrationEscRoom; Sarah Hartman-Caverly, “Exfiltration! Gamifying CI Instruction with a Virtual Escape Room,” Ticker: The Academic Business Librarianship Review 5, no. 2 (2021), https://doi.org/10.3998/ticker.16481003.0005.213; Sarah Hartman-Caverly, “‘The Da Vinci Code for IP Research’: Case Study of a Course-Integrated Educational Escape Room in Entrepreneurship Education,” Ticker: The Academic Business Librarianship Review (forthcoming July 2022).
ACRL’s Instruction Section, “2021 ACRL Instruction Section Innovation Award Winners Interview: Alexandria Chisholm and Sarah Hartman-Caverly,” April 28, 2021, https://acrl.ala.org/IS/2021-acrl-instruction-section-innovation-award-winners-interview-alexandria-chisholm-and-sarah-hartman-caverly/.
The Office for Intellectual Freedom of the American Library Association, “Author: Sarah Hartman-Caverly,” Intellectual Freedom Blog, https://www.oif.ala.org/oif/author/sarah-hartman-caverly/.
Lisa Ho, “Privacy vs. Privacy,” EDUCAUSE Review, February 25, 2015, https://er.educause.edu/blogs/2015/2/privacy-vs-privacy.
Garrett Keizer, Privacy (New York: Picador, 2012), 20.
Helen Nissenbaum, “Privacy as Contextual Integrity,” Washington Law Review 79, no. 1 (2004): 138-140. https://digitalcommons.law.uw.edu/wlr/vol79/iss1/10/.
ProPublica reports that 2021 was a banner year for data breaches. Cezary Podkul, “Despite Decades of Hacking Attacks, Companies Leave Vast Amounts of Sensitive Data Unprotected,” ProPublica, January 25, 2022, https://www.propublica.org/article/identity-theft-surged-during-the-pandemic-heres-where-a-lot-of-the-stolen-data-came-from.
Sarah Hartman-Caverly and Alexandria Chisholm, “Privacy Literacy Practices in Academic Libraries: Past, Present, and Possibilities,” IFLA Journal 46, no. 4 (2020), https://doi.org/10.1177%2F0340035220956804 (open access: https://scholarsphere.psu.edu/resources/6e465f98-fc36-478e-bba5-3f29c52a7632).
Daniel Solove, Understanding Privacy (Cambridge: Harvard University Press, 2008), 166.
Nissenbaum, “Privacy as Contextual Integrity,” 138-40.
Jacob Leon Kroger, Milagros Miceli, and Florian Muller, “How Data Can Be Used Against People: A Classification of Personal Data Misuses,” SSRN, https://dx.doi.org/10.2139/ssrn.3887097.
Anita L. Allen, “Coercing Privacy,” William and Mary Law Review 40, no. 3 (1999): 728, https://scholarship.law.upenn.edu/faculty_scholarship/803/.
Julie E. Cohen, “What Privacy is For,” Harvard Law Review 126 (2013), 1916, https://harvardlawreview.org/2013/05/what-privacy-is-for/.
Alan Westin, Privacy and Freedom (New York: Athenaeum, 1967), 98.
Shoshana Zuboff, The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power, (New York: Hachette, 2019), 100.
Zuboff, The Age of Surveillance Capitalism, 139.
Zuboff, The Age of Surveillance Capitalism, 156-57.
Veronica Barassi, Child Data Citizen: How Tech Companies Are Profiling Us From Before Birth (Cambridge: MIT Press, 2020), 34.
American Library Association, “Library Bill of Rights,” https://www.ala.org/advocacy/intfreedom/librarybill.
American Library Association, “Privacy: An Interpretation of the Library Bill of Rights,” https://www.ala.org/advocacy/intfreedom/librarybill/interpretations/privacy/.
Callan Bignoli, Sam Buechler, Deborah Yun Caldwell, and Kelly McElroy, “Resisting Crisis Surveillance Capitalism in Academic Libraries,” Canadian Journal of Academic Librarianship, 7 (2021), 1-25, https://doi.org/10.33137/cjalrcbu.v7.36450.
Association of College and Research Libraries, “2021 Environmental Scan,” https://www.ala.org/acrl/sites/ala.org.acrl/files/content/publications/whitepapers/EnvironmentalScan2021.pdf, 17.
Beth Brelje, “Penn State Employee: Medical Privacy Has Taken a Backseat During the Pandemic,” The Epoch Times, January 19, 2022, https://www.theepochtimes.com/penn-state-employee-medical-privacy-has-taken-a-back-seat-during-the-pandemic_4220226.html.
Zuboff, The Age of Surveillance Capitalism, 520.
“From President Tim Sands: Changes in Vaccine Mandate, Plans for Successful Semester,” January 31, 2022, https://vtx.vt.edu/articles/2022/01/president-message-013122.html.