Forget Whitelists and Blacklists: Go for 'Allow' or 'Deny'Terminology Shift Announced by Britain's National Cyber Security Center
Forget "whitelists" and "blacklists" in cybersecurity.
For those not in the know, in the digital realm, these refer to lists of things that should be respectively allowed or denied. For example: Lists of approved or denied websites that web monitoring tools either allow users to visit, or not.
If it's good, say it's allowed. If it's bad, then say it's denied.
Given the racial connotations inherent in the terminology, however, here's a no-brainer move: Instead of whitelist and blacklist, why don't we just say allowed or denied?
So recommends Britain's National Cyber Security Center - part of intelligence agency GCHQ - which is the U.K.'s national incident response group and computer emergency response team.
Henceforth, the NCSC says it will be using the terms "allow list" and "deny list."
"It's fairly common to say whitelisting and blacklisting to describe desirable and undesirable things in cybersecurity. For instance, when talking about which applications you will allow or deny on your corporate network; or deciding which bad passwords you want your users not to be able to use," says the NCSC's "Emma W." in a Thursday a blog post on the NCSC website. (As they work for an intelligence agency, none but topmost NCSC officials publicly reveal their surnames.) "However, there's an issue with the terminology. It only makes sense if you equate white with 'good, permitted, safe' and black with 'bad, dangerous, forbidden.'"
As the title of the NCSC's blog post reads: "Terminology: it's not black and white." Blacklists and whitelists, in other words, are not wholly neutral terms.
"So in the name of helping to stamp out racism in cybersecurity, we will avoid this casually pejorative wording on our website in the future," Emma W. says. "No, it's not the biggest issue in the world - but to borrow a slogan from elsewhere: every little helps." (For non-U.K. residents, that's the slogan of British supermarket giant Tesco, meaning that while it might only save you a few pennies here and there, it all adds up.)
Will people buy into the NCSC's move? The NCSC isn't seeking permission; its management board has fully backed the move. "If you're thinking about getting in touch saying this is political correctness gone mad, don't bother," says Ian Levy, the NCSC's technical director.
Extra Points for Clarity
Bonus: Saying "allow list" or "deny list" is simply clearer. As the Brits say, they literally do what they say on the tin, no additional explanations required.
Based on previous discussions I've had with those outside the cybersecurity field, the meaning of blacklist and whitelist in an information security context is not inherently obvious. Anything that makes these concepts easier to understand is to be further embraced.
This isn't the first attempt to move beyond these terms.
"Years ago I saw some suggest the use of 'block list' instead of 'blacklist,' but I don't think that caught on widely," says British security expert Graham Cluley in a blog post.
"Maybe 'allow list' and 'deny list' won't become the norm either, but I think we should all do our little bit to try to help move away from old terms which equate good things with white and bad things with black," he says. "Furthermore, you don't have to explain what 'allow list' and 'deny list' mean - it's clear language which is self-explanatory."
In the bigger picture, file these suggestions under the category of trying to make cybersecurity a more inclusive and human-centered discipline.
And this isn't the first time Emma W. - NCSC's people-centered security lead, meaning she looks for ways to make cybersecurity work better for humans - has weighed in on such matters. Previously, she's issued NCSC guidance on the role of training for combating phishing - namely, that while it's helpful, it's not foolproof, and blaming users when it fails is counterproductive (see: Successful Security? Stop Blaming Users).
She's also warned that when it comes to expecting users to maintain and manage complex passwords for the dozens or hundreds of accounts and services they use, the only way to do so is to employ password managers (see: Experts' View: Avoid Social Networks' Single Sign-On).
"Until recently, we haven't put anything like enough emphasis into understanding how people function as elements of sociotechnical security systems," Emma W. says."We haven't really known how best to support people in doing their jobs, so they can do those jobs as well as they can without security getting in the way. And as a result, we've been getting a lot of things wrong."