Over the past two years, government organizations have increasingly begun to use the Internet (especially the World Wide Web) to disseminate and gather information and to offer services to the public. As these applications multiply, concerns surrounding appropriate use, management, and value have emerged. In so short a time, states, localities, and federal agencies have only begun to explore the possibilities and understand the complexities of the Internet. As a result, Internet use policies are only in their infancy. As part of an Internet Services Testbed project, the Center for Technology in Government collected and reviewed existing government policies during April - July 1996. We tried to learn what topics were currently considered most important and to see how these topics were treated in policy documents. Most policies examined came from states and are meant to govern the activities of individual agencies. Each policy was reviewed to answer two questions:

• What do state governments consider essential items to cover in an Internet policy?
• What kind of guidance do they give? (e.g., very specific rules, guiding principles)

We searched the WWW for state government policies and also solicited responses from government organizations through the NASCIO and GOVPUB listservs. NASCIO is the National Association of State Chief Information Officers, an organization representing the information management agencies and professionals in all 50 states. GOVPUB is an Internet discussion list created to encourage discussion among state and local government professionals who are responsible for creating and maintaining Internet services. In all, we reviewed 17 government polices (twelve states, two state agencies, two federal agencies, and Australia). The variety we found reflects the wide range of uses and approaches that can be seen in the way governments use the Internet today. The policies ranged from very detailed "cookbooks" with many definitions and procedural requirements to "guiding principles" that emphasize over arching policy goals. Some cover a full range of topics, others emphasize only one or two. After examining the various policies, four main focus areas emerged.

This area focused on a rationale for why a government or an agency should consider connecting to the Internet. Some states paid very close attention to this topic and this was reflected in the specifics of their policies. Policy makers who envisioned both the pitfalls and the potential productivity enhancements of Internet-based services were better able to articulate why a given restriction, freedom or measure might be necessary. Most policies sought in some fashion to explain why the Internet was a "good thing." Education, research, and better communication were the most often cited reasons for connecting to and using the Internet. The more comprehensive policies took the time to explain both the benefits and costs associated with Internet use. In short, the policy makers who thought through and then explained what the Internet could be used for seemed to have also developed more comprehensive and useful policies. These policies strike a balance between micro and macro management. They explain reasons for connecting to the Internet and examine connectivity in the light of both pluses and minuses.

Many states were concerned with design criteria or guidelines for WWW sites. This concern over the appearance of Web pages surfaced with greater focus and clarity in the more recent policies and encompasses such topics as "look and feel," consistency from agency to agency, and useful navigation aids. These policies ranged from many specific rules that must be applied to all sites to very general guidelines that left implementation up to individual agencies. The very specific policies tended to require certain design features and detailed programming methods for the creation of Web sites.

Security was a major concern in almost all of the policies and was covered in great detail in many of them. Most of the security issues centered around the protection of "sensitive" documents and explicit assignment of responsibility for security. Many specified technology requirements to ensure network and hardware security. Security policies varied in the degree to which a state delegated security responsibilities to agencies and the extent to which they defined the types of materials that should be considered in establishing policies. In almost every case, however, security responsibilities were ultimately placed on the specific agency desiring an Internet connection or presence.

Almost all of the policies establish behavioral guidelines for employees. Most policies were very explicit about what are acceptable and inappropriate uses of on-line services. Almost universally, the policies sought to prohibit the use of the Internet for illegal activities or personal gain and to protect against copyright infringements. Privacy concerns were also common. Some of the most recent policies address non-business activities like "surfing" and games.