‘Whitelist,’ ‘Blacklist’: The New Debate Over Security Terminology

For many years, terms such as “blacklist” and “whitelist” were commonly used within cybersecurity and infosec circles to simply designate what person or application had access to a system or network (and which ones were denied).

In the wake of months-long, nationwide protests over issues such as racial injustice and police misconduct, the cybersecurity and infosec communities are having their own debate over terms such as “black” and “white” and what those connotations mean. Is it now time to change the terminology of security to make the industry much fairer and a more inclusive community?

Some of these issues have already bubbled up to the surface.

In late April, just as protests in the U.S. and elsewhere were building, the U.K. National Cyber Security Centre, which is part of the British intelligence agency GCHQ and runs that nation’s incident-response team, published an announcement that it would now use the terms “allow list” and “deny list” in place of the more traditional whitelist and blacklist. 

In June, Cisco Talos, the threat research arm of Cisco’s security division, announced a similar measure.

“While we acknowledge it is a small change, Cisco Talos is moving to replace our use of the terms ‘blacklist’ and ‘whitelist’ with ‘block list’ and ‘allow list,’” according to the Cisco Talos team. “Even though these terms are commonly in use in the security industry, we will not go along with casually assigning positive connotations to ‘white’ while assigning negative connotations to ‘black.’”

There’s even a debate brewing over whether one of cybersecurity’s most recognized events—BlackHat—should change its name to reflect the broader debate. In early July, David Kleidermacher, the vice president of engineering at Google who oversees Android Security and the Google Play Store, announced he was withdrawing from a scheduled talk to spur the infosec community into using more neutral terms.

“While many people will rightly claim they never consciously associated such terms with racism, the reality is that words matter, and these words perpetuate the notion of ‘white’ as ‘good’ and ‘black’ as ‘bad,’” Michelle McLean, vice president of product marketing at security firm StackRox, told Dice. Her company has also started using more race- and gender- neutral terms such as “allow list” and “deny list.”

“Linguists have long made a compelling case that words directly shape our consciousness and our reality, so we need to take steps like removing such racist terms from our technical vocabulary as a small part of a much larger effort needed to create positive environments and opportunities for Black and other underrepresented people in tech,” McLean added.

Ongoing Debate

While it might seem that the IT, developer and security communities have only recently started debating word choices such as whitelist and blacklist, as well as “master” and “slave,” concerns over the use of these terms and what they mean have been part of the discussion for some time.

In 2018, for example, two Irish scholars published a research paper addressing “widespread use of racist language in discussions concerning predatory publishing,” including the terms blacklist and whitelist.

Thomas Hatch, CTO and co-founder of security firm SaltStack, believes that not only do more modern and race-neutral terms help eliminate racist language, but they also offer clearer definitions of what security should mean to an organization.

“In the past, most of us did not consider the connotation within the terms whitelist and blacklist. We just thought about them as standard computing terms,” Hatch told Dice. “However, moving away from using terminology that has originated specifically from such inhumane practices is positive for the security industry as well as other industries. It has been refreshing to see this trend sweep through tech.”

A More Perfect Future

While the debate over terms such as blacklist and whitelist has really only started, and not everyone may feel the need to change these, Heather Paunet, vice president of product management at security firm Untangle, believes that eliminating certain terminologies now can pay off down the road by making cybersecurity and infosec more inclusive and respectful of the talent it wants to draw on.

“‘Blacklist’ and ‘whitelist’ are terms that needed to be learned by newcomers to a security company, or security product, because it’s not clear when you first come across them what they mean,” Paunet said. “Using terms where it’s obvious what they do will make for easier to understand security solutions, as well as promote a culture of not going along with the use of terminology that promotes positive or negative associations with the colors ‘black’ and ‘white.’”

StackRox’s McLean also believes that updating the words the industry uses can help change the culture, making cybersecurity a more attractive career for many more talented people from diverse backgrounds.

“The security industry will only benefit from being able to tap into a larger and more diverse talent pool as we work together to protect critical applications and infrastructure,” McLean said. “Thinking more broadly creates better solutions, and the security industry needs that talent tool more than ever.”

12 Responses to “‘Whitelist,’ ‘Blacklist’: The New Debate Over Security Terminology”

  1. Rodney L. Hergenrader

    How about having a Green and Red List for security access as well as just going with Primary and Secondary instead of Master and slave. This will leave a yellow list for entries security has yet to determine which category to assign. All it takes is one of the big players, especially if Microsoft, Cisco, etc. adopts and agrees on a standard – this way it will be somewhat easy for everyone to say – this is how it will be from now on in all communications, documentation and training contained within each company that deals or has IT associations.

  2. Protests seems funded otherwise they would fight for certain race lives from Chicago gang wars. And they look like to disrupt US and defame Trump Administration.
    No race or religion is superior. People with all kinds of races or religion are happily working together everywhere. Terminology is nothing to do with the race.

  3. i.b. hemp

    Rodney, Green and Red list still require cultural context to make sense.

    “Dear IT admin, please green list these domains.” — potentially unclear/ambiguous.

    “Dear IT admin, please mark these as approved domains.” — clear, unambiguous.

  4. ‘Black’ and ‘White’, in IT world, has forever been based on the cowboys for the old westerns, where the bad guys always wore black, and the good guys white.
    Bringing in race or skin color to this subject comes from racists only. Noone, NOONE, has ever made this same assumption before.

  5. Ellery Russell

    I doubt there was ever a time when white European society as a whole had not come in contact with a black African, or a middle easterner, or otherwise. You may be able to make the case that darkness/night vs lightness/day is the origin, but over time that has become conflated with race in many ways. Just look at Aladdin, where evil Jafar is a dark-skinned Arab with racist features, while the heroes are much lighter with white features.

  6. Old Engineer

    The context of back and white hats on cowboys is in relation to the movies and early TV where were both in black and white. I personally did not have a color set in my house till the 70s. There were no colors, the only way you could tell sides was by contrast, Black White. We are changing things to fain progress without addressing the real issue. Systemic poverty caused by an unequal educational system. I remember seeing my first black engineering professor, his comment the first day of class was that he was disappointed there were no blacks in his class. It was long ago but to this day black engineers make up less than 5% of the engineering students heck only 5% of black students choose engineering. It is time to put this minutia down and pick up our real problems.

  7. Arkanova Garda

    I agree with “Old Engineer”. Of course we can never tolerate racist language like e.g. “the N-word”, but words with no connection to racism like “blacklist” or “whitelist” are not the problem. The problems are much more complex and must be tackled properly. The “whitelist”/”blacklist” discussion in my opinion only obscures the real problems.

  8. Arkanova Garda

    @Ellery Russell
    Well, talking about “white European society as a whole” is historically wrong and discriminating. “White Europe” has always (also before the arrival of non-white people) been a culturally and ethnically diverse continent. The different peoples have very different historical backgrounds. When hearing “white”, people tend to only think of e.g. Germany, England, France, Spain or Belgium with their colonial histories and Germany’s history of the Holocaust. They forget about the white peoples of south-eastern Europe, e.g. Bulgarians, Serbians or Croatians who themselves were colonised and enslaved by the non-white muslim Ottoman Empire or central-eastern Europe like the Polish-Lithuanian Commonwealth that never really had contact with black people and was itself threatened by white Germans, Austrians and also the Ottoman Empire, which actually enslaved many slavic people from the southern territories of the Commonwealth. The history of racism and slavery, like human history itself, is not “black and white”. For some people terms like “blacklist” come with racist connotations (colonial history?), while for others the terms are still neutral with their origin in darkness/lightness (Eastern European historical background). Is forcing racist connotations on others OK?

  9. Arkanova Garda

    @Ellery Russell
    P.S. concerning Disneys Aladdin from 1992, I guess that is what you are referring to (?), honestly, princess Jasmin looks “as Arab” to me, as Jafar. Besides I have never really thought about either Aladdin’s ethnicity, or Mulan’s, or Obi Wan’s or Lando’s. Though I would not like to see a black Mulan, a black Geralt of Rivia, a white Martin Luther King Jr. or a black Adolf Hitler, I hope you see my point here.