My old-fashioned view on the terms “blacklist” and “whitelist”

Graham Cluley @gcluley

My old-fashioned opinion on the terms "blacklist" and "whitelist"

The UK’s National Cyber Security Centre (NCSC) has said that it will be changing the wording it uses on its website.

In short, it says it will no longer be using the terms “whitelist” and “blacklist” to describe things that you might want to allow or block on your computers:

“You may not see why this matters. If you’re not adversely affected by racial stereotyping yourself, then please count yourself lucky. For some of your colleagues (and potential future colleagues), this really is a change worth making. From now on, the NCSC will use ‘allow list’ and ‘deny list’ in place of ‘whitelist’ and ‘blacklist’ on our website. Which, in fact, is clearer and less ambiguous.”

The announcement cause a predictable furore on social media with many sharing their opinion, the politer of which described the move as “political correctness gone mad”.

Others invoked images of touchy-feely social justice warriors virtue-signalling and wringing their handkerchiefs over whether an article about a web filter might offend people depending on their race.

Well, call me old-fashioned if you like, but I think words matter. As does decency and respect for others. In fact I think that matters more than clinging on to phrases that might have been used for years and years – as though a history of past usage somehow makes certain phrases and terms acceptable or desirable.

The NCSC says it will use phrases “allow list” and “deny list” in future, and that’s fine with me.

(Hey, “deny list” even uses one less character than “black list”! When there’s a global byte shortage going on, what’s not to love with that!?)

Years ago I saw some suggest the use of “block list” instead of “blacklist”, but I don’t think that caught on widely.

Maybe “allow list” and “deny list” won’t become the norm either, but I think we should all do our little bit to try to help move away from old terms which equate good things with white and bad things with black.

Furthermore, you don’t have to explain what “allow list” and “deny list” mean – it’s clear language which is self-explanatory.

Frankly, I don’t see any downsides.

So I’m going to try to follow in the NCSC’s footsteps on this one.

And I’m sure there are articles on my website or things I’ve said in the past where I’ve used terms like “whitelisting” and “blacklisting” carelessly.

Hands up. I’ve done it. Do let me know where, and if I can I’ll do my best to fix it.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

11 Replies to “My old-fashioned view on the terms “blacklist” and “whitelist””

  1. Blocklist has the advantage in that anything the had an acronym BL will still have the same acronym. Many organisation has spent money on domains that incorporate the letters BL and so moving to Deny List would not be feasible.

  2. Yes black hat hacker should be changed and as the article states people who have never experienced any racial sterotyping or have no clue about how words impact at a concious or subconcious level shouldn't really comment on this issue.

  3. Could have used

    Yes-list and No-list

    Or

    Welcome-list and Bad-list (to keep letters)

    Or

    Good-list and Bad-list

    There are many reasonable alternatives.

  4. Allow & Deny also work well for people who don't have English as a first language, avoids having to do a two-step mental translation of "letter string b l a c k" to a "colour in my preferred language", to interpret what that colour means with respect to an allowed or denied list of things.

    Interesting quick experiment:

    root@box:/# find etc -type f |grep allow
    etc/hosts.allow
    etc/apache2/mods-available/allowmethods.load

    root@box:/# find etc -type f |grep deny
    etc/hosts.deny
    etc/fail2ban/action.d/hostsdeny.conf

    root@box:/# find etc -type f |grep white
    etc/X11/cursors/whiteglass.theme

    root@box:/# find etc -type f |grep black
    etc/apport/blacklist.d/apport
    etc/apport/blacklist.d/firefox
    etc/apport/blacklist.d/README.blacklist
    etc/fail2ban/action.d/symbiosis-blacklist-allports.conf
    etc/modprobe.d/intel-microcode-blacklist.conf
    etc/modprobe.d/blacklist.conf
    etc/modprobe.d/blacklist-framebuffer.conf
    etc/modprobe.d/blacklist-modem.conf
    etc/modprobe.d/blacklist-firewire.conf
    etc/modprobe.d/blacklist-ath_pci.conf
    etc/modprobe.d/blacklist-rare-network.conf
    etc/modprobe.d/amd64-microcode-blacklist.conf
    etc/bindresvport.blacklist
    etc/java-14-openjdk/security/blacklisted.certs
    etc/gnome/menus.blacklist

    Looks as though we're pretty fond of black lists in Ubuntu

  5. Block List/Allow List is what I'm opting for; now we can whitewash our… oh wait ¯\_(ツ)_/¯

  6. I think things like this do more harm than good as it's making a race issue out of a completely non-racist situation. It's just contributing to political correctness fatigue and does nothing to move society forward with regard to actual racial injustice. To suggest that it is in some small way contributing to improving race relations just comes across as virtue signalling.

    That said, I do prefer the proposed terminology as I think it's more descriptive.

  7. Deny and Allow are common sense and those who are stuck in the past should stop their own faux offence at what they see as 'political correctness'. It isn't. It's respect. We don't have images of black dolls on Robertson's jam anymore. Thank Goodness. Embrace the change.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.