‘Whitelist,’ ‘Blacklist’: The New Debate Over Security Terminology

For many years, terms such as “blacklist” and “whitelist” were commonly used within cybersecurity and infosec circles to simply designate what person or application had access to a system or network (and which ones were denied).

In the wake of months-long, nationwide protests over issues such as racial injustice and police misconduct, the cybersecurity and infosec communities are having their own debate over terms such as “black” and “white” and what those connotations mean. Is it now time to change the terminology of security to make the industry much fairer and a more inclusive community?

Some of these issues have already bubbled up to the surface.

In late April, just as protests in the U.S. and elsewhere were building, the U.K. National Cyber Security Centre, which is part of the British intelligence agency GCHQ and runs that nation’s incident-response team, published an announcement that it would now use the terms “allow list” and “deny list” in place of the more traditional whitelist and blacklist. 

In June, Cisco Talos, the threat research arm of Cisco’s security division, announced a similar measure.

“While we acknowledge it is a small change, Cisco Talos is moving to replace our use of the terms ‘blacklist’ and ‘whitelist’ with ‘block list’ and ‘allow list,’” according to the Cisco Talos team. “Even though these terms are commonly in use in the security industry, we will not go along with casually assigning positive connotations to ‘white’ while assigning negative connotations to ‘black.’”

There’s even a debate brewing over whether one of cybersecurity’s most recognized events—BlackHat—should change its name to reflect the broader debate. In early July, David Kleidermacher, the vice president of engineering at Google who oversees Android Security and the Google Play Store, announced he was withdrawing from a scheduled talk to spur the infosec community into using more neutral terms.

“While many people will rightly claim they never consciously associated such terms with racism, the reality is that words matter, and these words perpetuate the notion of ‘white’ as ‘good’ and ‘black’ as ‘bad,’” Michelle McLean, vice president of product marketing at security firm StackRox, told Dice. Her company has also started using more race- and gender- neutral terms such as “allow list” and “deny list.”

“Linguists have long made a compelling case that words directly shape our consciousness and our reality, so we need to take steps like removing such racist terms from our technical vocabulary as a small part of a much larger effort needed to create positive environments and opportunities for Black and other underrepresented people in tech,” McLean added.

Ongoing Debate

While it might seem that the IT, developer and security communities have only recently started debating word choices such as whitelist and blacklist, as well as “master” and “slave,” concerns over the use of these terms and what they mean have been part of the discussion for some time.

In 2018, for example, two Irish scholars published a research paper addressing “widespread use of racist language in discussions concerning predatory publishing,” including the terms blacklist and whitelist.

Thomas Hatch, CTO and co-founder of security firm SaltStack, believes that not only do more modern and race-neutral terms help eliminate racist language, but they also offer clearer definitions of what security should mean to an organization.

“In the past, most of us did not consider the connotation within the terms whitelist and blacklist. We just thought about them as standard computing terms,” Hatch told Dice. “However, moving away from using terminology that has originated specifically from such inhumane practices is positive for the security industry as well as other industries. It has been refreshing to see this trend sweep through tech.”

A More Perfect Future

While the debate over terms such as blacklist and whitelist has really only started, and not everyone may feel the need to change these, Heather Paunet, vice president of product management at security firm Untangle, believes that eliminating certain terminologies now can pay off down the road by making cybersecurity and infosec more inclusive and respectful of the talent it wants to draw on.

“‘Blacklist’ and ‘whitelist’ are terms that needed to be learned by newcomers to a security company, or security product, because it’s not clear when you first come across them what they mean,” Paunet said. “Using terms where it’s obvious what they do will make for easier to understand security solutions, as well as promote a culture of not going along with the use of terminology that promotes positive or negative associations with the colors ‘black’ and ‘white.’”

StackRox’s McLean also believes that updating the words the industry uses can help change the culture, making cybersecurity a more attractive career for many more talented people from diverse backgrounds.

“The security industry will only benefit from being able to tap into a larger and more diverse talent pool as we work together to protect critical applications and infrastructure,” McLean said. “Thinking more broadly creates better solutions, and the security industry needs that talent tool more than ever.”

26 Responses to “‘Whitelist,’ ‘Blacklist’: The New Debate Over Security Terminology”

  1. Rodney L. Hergenrader

    How about having a Green and Red List for security access as well as just going with Primary and Secondary instead of Master and slave. This will leave a yellow list for entries security has yet to determine which category to assign. All it takes is one of the big players, especially if Microsoft, Cisco, etc. adopts and agrees on a standard – this way it will be somewhat easy for everyone to say – this is how it will be from now on in all communications, documentation and training contained within each company that deals or has IT associations.

  2. Protests seems funded otherwise they would fight for certain race lives from Chicago gang wars. And they look like to disrupt US and defame Trump Administration.
    No race or religion is superior. People with all kinds of races or religion are happily working together everywhere. Terminology is nothing to do with the race.

  3. i.b. hemp

    Rodney, Green and Red list still require cultural context to make sense.

    “Dear IT admin, please green list these domains.” — potentially unclear/ambiguous.

    “Dear IT admin, please mark these as approved domains.” — clear, unambiguous.

  4. ‘Black’ and ‘White’, in IT world, has forever been based on the cowboys for the old westerns, where the bad guys always wore black, and the good guys white.
    Bringing in race or skin color to this subject comes from racists only. Noone, NOONE, has ever made this same assumption before.

    • Have to agree. Typically the people I have encountered that see racism everywhere are the biggest racists themselves. Not saying this is the rule for everyone but certainly something to consider when trying to placate the mob.

    • Peter Parker

      From ancient human archetypes – light = white = good and dark = black = bad, as predators and various other dangers would lurk in the dark. But you woke morons are actually hard asleep and completely clueless – go read a book, it’ll do you good. Just don’t judge it by the color of its cover.

  5. Ellery Russell

    I doubt there was ever a time when white European society as a whole had not come in contact with a black African, or a middle easterner, or otherwise. You may be able to make the case that darkness/night vs lightness/day is the origin, but over time that has become conflated with race in many ways. Just look at Aladdin, where evil Jafar is a dark-skinned Arab with racist features, while the heroes are much lighter with white features.

    • John Smith

      “I doubt there was ever a time when white European society as a whole had not come in contact with a black African, or a middle easterner, or otherwise.”

      Ever taken a course in anthropology? Evolutionary biology? History of communications? You never specified a time, so I’ll just assume you are referring to any time-range from the first emergence of anatomically modern humans to—perhaps say—the first advanced civilization, Sumer. The majority of humans in this timeframe are in the hunter-gatherer stage. They are highly segmented. At most, the largest social division during this time period existed as tribes. “Society” as we know it today and 4,000 years ago simply did not exist way back then.

      However, I must admit that you were onto something in the later half of your comment. Yes, regardless of the origin of the black and white dichotomy (aka binary opposition), eventually they will get conflated with many other conceptual frameworks, including race. That is not to say that your conclusion is correct. I highly doubt that media representations of black-skinned being evil (and v/v) can achieve any sort of psychological conditioning effect on people, including children. Humans are much more intelligent than to rely on mere simple associations as their main reasoning process.

  6. Old Engineer

    The context of back and white hats on cowboys is in relation to the movies and early TV where were both in black and white. I personally did not have a color set in my house till the 70s. There were no colors, the only way you could tell sides was by contrast, Black White. We are changing things to fain progress without addressing the real issue. Systemic poverty caused by an unequal educational system. I remember seeing my first black engineering professor, his comment the first day of class was that he was disappointed there were no blacks in his class. It was long ago but to this day black engineers make up less than 5% of the engineering students heck only 5% of black students choose engineering. It is time to put this minutia down and pick up our real problems.

  7. Arkanova Garda

    I agree with “Old Engineer”. Of course we can never tolerate racist language like e.g. “the N-word”, but words with no connection to racism like “blacklist” or “whitelist” are not the problem. The problems are much more complex and must be tackled properly. The “whitelist”/”blacklist” discussion in my opinion only obscures the real problems.

  8. Arkanova Garda

    @Ellery Russell
    Well, talking about “white European society as a whole” is historically wrong and discriminating. “White Europe” has always (also before the arrival of non-white people) been a culturally and ethnically diverse continent. The different peoples have very different historical backgrounds. When hearing “white”, people tend to only think of e.g. Germany, England, France, Spain or Belgium with their colonial histories and Germany’s history of the Holocaust. They forget about the white peoples of south-eastern Europe, e.g. Bulgarians, Serbians or Croatians who themselves were colonised and enslaved by the non-white muslim Ottoman Empire or central-eastern Europe like the Polish-Lithuanian Commonwealth that never really had contact with black people and was itself threatened by white Germans, Austrians and also the Ottoman Empire, which actually enslaved many slavic people from the southern territories of the Commonwealth. The history of racism and slavery, like human history itself, is not “black and white”. For some people terms like “blacklist” come with racist connotations (colonial history?), while for others the terms are still neutral with their origin in darkness/lightness (Eastern European historical background). Is forcing racist connotations on others OK?

    • Paul Biri, Finland

      In Indo-Iran language “Arya” means a hero, noble man, but among Uralic people, who during the bronce age lived in their neighborhood word “orja” means slave i.e. unfree person. In todays Finnish “orja” is pronounced “orya”.
      Black list and white list are not as good as “deny list” and “able list”, because the latter ones do not refer to any color table but have clear verbs that tell what they are staning for.

  9. Arkanova Garda

    @Ellery Russell
    P.S. concerning Disneys Aladdin from 1992, I guess that is what you are referring to (?), honestly, princess Jasmin looks “as Arab” to me, as Jafar. Besides I have never really thought about either Aladdin’s ethnicity, or Mulan’s, or Obi Wan’s or Lando’s. Though I would not like to see a black Mulan, a black Geralt of Rivia, a white Martin Luther King Jr. or a black Adolf Hitler, I hope you see my point here.

  10. To guard ambiguous terminology and defend it as “not racist” is missing the point and only perpetuates ambiguity and environments where underrepresented folks are potentially harmed.

  11. Luke Ross

    ““‘Blacklist’ and ‘whitelist’ are terms that needed to be learned by newcomers to a security company, or security product, because it’s not clear when you first come across them what they mean,” Paunet said.”

    Yes, because apart from those two words, infosec and the IT industry in general is replete with simple and intuitive words and alphabet soup.

  12. ThisHasGoneTooFar

    The fact that we even have this discussion is sad, and says something about how far this has gone. I don’t even feel I can use my own name when commenting this topic, because I know some people feel offended about my opinion and it can result in harassment or worse. If we don’t stand up for ourself soon we will lose the right to speak at all, because someone will be offended by every single word there is. If you relate blacklist and whitelist to race, I think the problem is those people taking up this topic in the first place and not the words itself. I personally never related this to race but rather how people react to these colors in society (not towards skin color), example: some people feel it’s can be scary to walk out when it’s dark (black being a dark color) and people prefer it being lighter outside (white being a light color), doesn’t mean that people with black skin is scary however some people are making it sound like this. What some of you are saying here is indirectly “it’s better to change it so no one feels offended”, now when are we going to stop thinking this way? I think those people are either afraid to stand out or struggles with low self-esteem. Either way I do not think this is the way to go. And note that I am absolutely against racism of any kind. I just mean that this is going way too far.

    • Dawid Kurzyniec

      Black/white as antonyms (and as synonyms of ‘good’ and ‘evil’, by connection to ‘darkness’ and ‘light’) are culturally universal. Every human, regardless of race, has instinctive fear of darkness, because that’s how we evolved: in darkness, you might not see a lurking danger, so if you didn’t fear darkness, you were more likely to die. That distinction shaped our cultures and our languages. Consider, for example, ‘enlightment’, ‘dark ages’, ‘And there was light, and it was good’, ‘night and day’, ‘prince of darkness’, and ask yourself if this is something that we should be trying to, and could ever successfully, undo. And yes, in African cultures, darkness is also associated with evil.

      Skin color, on the other hand, is never even white or black. It might be pink or brown. Skin tone is also just one of many attributes of a race, not always even the most distinctive one.

      So perhaps we should just lobby that everyone stops using color names to refer to the races, at least in official setting. Caucasian and African-descent (e.g. African-American) are well-recognized alternatives.

      Coming to think about it, I would really much prefer if people thought it offensive to be called ‘black’ or ‘white’ than to taint color names with racial connotations.

  13. The comments on this ignorant article show how little intelligence these people actually have. To debate something so dumb, ignorant, and trivial just proves how these particular humans are sheep. Distracted with BS that has NOTHING to do with race because someone else told you its bad…..mmmmmk. Go home people

  14. Master Bruce Wayne

    Im going to put this out there. There exists an exhausted majority who is sick of the far left and far right being crazy. We are the people who switch sides every election based on the nonsense of the left and right.

    Soeither these posters (wokesters) are idiots, or they are doing it for a purpose. From the authors perspectice and news agencies its about shock value and addvertising money. If its purposefull in the comments section, then they are purposefully trying to push the exhausted majority to the right because their standpoint is rediculous.

    So we must assume that they are russian, chinese, or iran citizens trying to sew division in our democracy by electing another Trump to cause more issues so they can push their governmental idealogies, those being, autocracy, communism, and theocracy.

    It may sound crazy, but when your on top, EVERYONE wants to take you down, and were just a few more years away given this nonsense. Its time to stand up, fight back and yell back at the harah left and right extremes and say enough is enough. MLK said cant we get along. Its time to heed those words.