Web Informant #197, 1 May 2000:
Surfing on company time


My essay on the big blur from WI #196 got lots of great comments from you, and brings up another issue. You know your staff is surfing around the web on company time, looking at personal sites when they should be working and developing code. The trouble is -- should you do anything about it?

This is a lot harder question than determining whether to block (or charge) employees from making personal phone calls. Part of the problem is that the web is so public an entity: unlike a phone call to some family member, surfing around from the corporate network leaves all sorts of trails and can affect more than just the individual surfer. Consider these examples:

I am sure you can think of more examples and have seen your share of questionable personal activities. All of this isn't new: back in the good ole days of PCs (say the late 1980s), you could find games with a special "boss" button that would instantly change the screen display into some innocuous spreadsheet in case you-know-who happened by your cubical. Maybe the time has come for something similar as a web plug-in.

The trouble is today the web and the Internet have become well integrated into our daily lives. Besides, a counter argument to using the workday for personal items is that the work day isn't just 9 to 5: I check my email from home at all hours of the day and night - shouldn't that count towards my work time and allow me a little slack during the day? And a recent article in the Wall Street Journal mentions how a father-to-be was sending real-time progress report emails from the delivery room. A bit too much, even for me.

There is the potential for discrimination lawsuits for some of the more offensive activities, to be sure. And your company owns this gear and has every right to determine how it will be used. You want to trust your staff to do the right thing, and to be responsible for their actions. You believe you have hired professionals who can get their jobs done.

Still, at a minimum, you need to lay out something in writing about your corporate policies about personal use of computer systems. I am amazed at how many companies still don't do this. If you are one of them, please put something down on paper it today. It doesn't have to be fancy, complete, or involved. Just be specific about what is permitted and what isn't, and what are the consequences. Your staff will feel better about it, believe me, and everyone can get back to doing their work.

I think the written guidelines are preferable to more heavy-handed approaches, such as implementing network blocking or monitoring software. Sure, there are situations that call for these more draconian measures, such as in public schools where you want to protect children from viewing more offensive sites. But the blocking approach is fraught with issues such as who decides on which sites and what may be inappropriate for a second grader is fine for a tenth grader.

And even implementing monitoring software can be troublesome: what do you do with all of this data that is collected on individual's surfing habits? Maybe a better idea is to say you are monitoring outbound web usage but then don't actually turn the collectors on. A few places I know have done this and the actual threat of the monitoring programs cut back the most egregious abusers.

The blur between our home and work lives will continue, to be sure. And to make both more productive, all of us need to be clear about what kinds of computing activities are permitted in both places.


After I wrote the above, Chris Bernard a software engineer with Recovery Management Corporation, sent in the following comments:


Here are my suggestions:


1. For those who need unlimited access, implement the policy of tracking sites visited. As you pointed out, this is enough in and of itself to stop most abuse. Monitor the logs as appropriate, but the key is to announce the policy, and from time to time, even announce general areas of abuse (sans individual's names).


2. Remove Internet access from those who don't need it for their job. Identify those who need limited access and put them in an interest group with a finite number of relevant sites maintained by the company. In many cases there only needs to be one such group per company. This is neither difficult, nor draconian, since we're talking about company resources and time here.


I fail to see why companies don't do these two things, having seen the kind of abuse that goes on at various places.


To subscribe, send a blank email to

To be removed from this list, send a blank email to

David Strom
+1 (516) 944-3407
back issues
entire contents copyright 2000 by David Strom, Inc.
Web Informant is registered trademark with the U.S. Patent and Trademark Office.
ISSN #1524-6353 registered with U.S. Library of Congress.