Surf and Skive: Work and Play

April 14, 2008

One of the current worries in the world of managers is that staff waste time networking with friends on sites such as Facebook or MySpace, instead of working. This is not a new concern by any means; similar worries have plagued businesses at each stage of the computing and Internet revolution.

Many firms are asking their IT departments what can be done to monitor and control the use of these kinds of sites, and this article takes a brief looks at some of the issues that are involved.

The Sites

The current concerns are largely around the huge rise in prominence of social networking sites such as Facebook and personal information sharing sites such as YouTube. Related Web-based activities include blogging, where huge amounts of time can be spent either reading or creating online diaries or opinion columns on almost any topic under the sun.

Other sites, possibly more traditional sites (in an Internet sense), that can occupy a lot of time for staff are online shopping sites of all kinds, and especially the more interactive auction sites, of which eBay is by far the most popular in the UK.

For a small section of the firm, time may be lost playing online games. These can be either the simple flash based games available all over the Internet, or the huge and intensive multiplayer (MMORPGs) games set in virtual worlds.

It is worth noting that none of these sites in themselves are a problem, and someone spending 15 minutes one lunch hour (which for a lawyer may be their first 15 minutes of downtime at 4 pm) is not causing a problem. However someone spending ten minutes of every hour checking up on their friends, or taking three or four half hour sessions on different sites is.

Restricting Use

Restricting access to certain sites is not a major technical problem. It can be done by IP address or by domain (site) name, and many firms will have the ability to fine tune controls to allow access to certain individuals or restrict access to certain times of the day.
However there is no clear way of identifying different types of site (there is no central list of ‘time wasting’ sites) so each site would have to be identified and blocked individually, and there are vast numbers of smaller and subject specific sites in addition to the well known ones. Further, many of these sites will have social networking aspects as part of a wider site that may be much more commonly used by the firm, and this causes additional work on the part of system administrators who have to set up exceptions to the controls. Overall, whatever software and hardware is put in place there is a considerable administrative overhead involved in restricting sites at a technical level.

What is also a problem is identifying business use against personal use. Law firms use the Internet as a research tool in many ways, and even if social networking sites are not used directly by members of the firm, they will often contain information of interest, and may be used by both clients and other parties related to a matter. Some matters may indeed directly concern information posted on these sites.

These problems can be compared to the related problem of restricting access to Web-based e-mail accounts; there are so many sites it is not possible to restrict them all, and use will be split between personal and business use.

It is also worth bearing in mind that partners and lawyers (and indeed most responsible staff) have always taken a dim view of external restrictions placed on their ability to access the Internet, especially where these demonstrate a degree of mistrust and an assumption that staff cannot be trusted.

Monitoring Content

An alternative approach is to look at the content of sites and the data being submitted to users to identify the characteristics of personal sites. (I will not concern myself here with what the laws are regarding this.)

Again, the main problems here are in defining what constitutes a time wasting Web site, and also what is personal as opposed to business use. Such a solution would have problems both with false negatives (allowing access that should have been stopped) and false positives (stopping access that should have been allowed). The latter can be costly to a law firm if it affects the timeliness or accuracy of advice given to clients, and will certainly generate complaints to IT support.

The major problem with any aggressive monitoring and restrictions based on content analysis are the perceived or actual invasion of privacy, which is likely to cause problems with staff even if there are not legal issues.

The SSL Problem

All of the technical solutions have a major flaw in that they can easily be avoided (or are made ineffective by) SSL encrypted sites, in other words any secure site. Because the traffic is encrypted from the Web server to the Web browser on the user’s PC, no decisions can be made or action taken on the content.

While SSL sites hosting social networking or other sites can still be blocked, there is the additional possibility that users can make a secure connection to a Web proxy on the Internet that then allows them to access other sites from there, with the connection from the proxy server to the browser being encrypted even if the end Web site is not. While such annonymising proxy servers are largely used to circumvent security and monitoring systems, their existence is something firms need to allow for when trying to use technical methods to restrict access to certain Web sites.

There are some technical solutions available that break the secure link at the firm’s Internet gateway, which essentially forms a spoofed (or fake) secure connection from Web server to browser that is in effect in two parts – a secure connection from Web server to gateway, and another secure connection from the gateway to the user’s browser. As these cause a mismatch of security certificates, the firm also needs to set up each browser to trust the secure connection to the gateway to avoid warning messages, but this is not difficult to achieve in a controlled network. Such solutions are not perfect and some SSL links will not work over them, but most Web sites would. These solutions are likely to cause problems if implemented with members of the firm however; they are unlikely to give permission or approve of their employer intercepting their secure Web traffic, whatever the reason.

Information Leak Prevention

Where firms do need to be aware of changing risks is in the area of information leakage, and social networking sites do form part (but far from all) of the increasing risks. Information leak prevention is concerned with ensuring that information that should stay within the firm does so, whether this is confidential client data or business information relating to the firm and its strategy. Directly related is the issue of damage to the firm’s brand, or worse, by unapproved comments and opinions made by members of the firm on publicly available Web sites. In these areas, firms should be making sure that senior management and risk management staff are fully aware of potential issues, and the firm should be adjusting its procedures to counteract the increase in risk.


Social networking sites are not all bad for business. Some sites such as LinkedIn focus entirely on creating social networks for business professionals, and most others are adding features specifically for business use. Even without additional features, many people have used social networking sites as general online collaboration tools for business as opposed to personal use.

Leading on from this, some large organisations are implementing internal sites with similar features to encourage communications between different areas of the business. In many ways, these are just the latest incarnation of the firmwide telephone directory, which in most firms has evolved into an intranet application listing everyone in the firm with a basic profile (name, roles, department, practice groups, committee memberships etc). An upside of the huge interest in this type of software is that a wide choice of off-the-shelf packages are likely to become available, reducing the need for firms to develop such systems internally. The most useful features for law firms will also find their way into the standard core systems of practice management and document management, and especially in the area of all in one systems for smaller and medium sized firms.

Possibly more importantly, there is a benefit to firms of the personal social networking Web sites. Law firms don’t run large sales teams to win business, rather they work on reputation and networks of contacts. While few partners are likely to be using such sites at the moment, the exact opposite is true of the latest intake of trainees. If these future lawyers are maintaining contacts over the long term on these systems, this is to the advantage of the firm. As their cohort from school, university and law training rise through the ranks of business and professional services, this networking will change from discussions of nights out and drinking habits to opportunities for doing business together.


Social networking sites are certainly an opportunity for time-wasting in the office, but the type of people who abuse their access to the Web in this way have found ways to avoid work since before the Internet was invented. Spending time and money trying to limit or monitor in detail this kind of activity, especially if targeting just sites that happen to be the flavour of the month, is a waste of resources that could be better invested in systems that provide support for the activities of the firm, which may in fact include social networking systems. Time-wasting by staff is an issue that needs to be detected, monitored and managed by line managers and supervisors, and not by technology.

Firms should make sure that at management level they have some understanding of both new technology and new types of social interaction that development of the Internet will continue to bring, in order to understand the effect on their business. Trying to ban or control things because managers do not understand them is a characteristic of poorly run organisations.

The wider topic of information leak prevention includes the key risks associated with social networking sites, blogging and other recent Internet innovations. Firms should be investing time in assessing the risks and putting in place procedures and IT systems to reduce and control these risks.

Finally, firms should be aware that these new styles of networking are important social developments and marketing and business networking plans should both show awareness of them and include them in their strategy.

Adam Westbrooke is the managing director of Firstcourt, a strategic IT solutions company specialising in helping professional services firms. For more information call Adam on 0870 350 3660 or see