My old-fashioned view on the terms “blacklist” and “whitelist”

Graham Cluley
@gcluley

The UK’s National Cyber Security Centre (NCSC) has said that it will be changing the wording it uses on its website.

In short, it says it will no longer be using the terms “whitelist” and “blacklist” to describe things that you might want to allow or block on your computers:

“You may not see why this matters. If you’re not adversely affected by racial stereotyping yourself, then please count yourself lucky. For some of your colleagues (and potential future colleagues), this really is a change worth making. From now on, the NCSC will use ‘allow list’ and ‘deny list’ in place of ‘whitelist’ and ‘blacklist’ on our website. Which, in fact, is clearer and less ambiguous.”

The announcement cause a predictable furore on social media with many sharing their opinion, the politer of which described the move as “political correctness gone mad”.

Others invoked images of touchy-feely social justice warriors virtue-signalling and wringing their handkerchiefs over whether an article about a web filter might offend people depending on their race.

Sign up to our newsletter
Security news, advice, and tips.

Well, call me old-fashioned if you like, but I think words matter. As does decency and respect for others. In fact I think that matters more than clinging on to phrases that might have been used for years and years – as though a history of past usage somehow makes certain phrases and terms acceptable or desirable.

The NCSC says it will use phrases “allow list” and “deny list” in future, and that’s fine with me.

(Hey, “deny list” even uses one less character than “black list”! When there’s a global byte shortage going on, what’s not to love with that!?)

Years ago I saw some suggest the use of “block list” instead of “blacklist”, but I don’t think that caught on widely.

Maybe “allow list” and “deny list” won’t become the norm either, but I think we should all do our little bit to try to help move away from old terms which equate good things with white and bad things with black.

Furthermore, you don’t have to explain what “allow list” and “deny list” mean – it’s clear language which is self-explanatory.

Frankly, I don’t see any downsides.

So I’m going to try to follow in the NCSC’s footsteps on this one.

And I’m sure there are articles on my website or things I’ve said in the past where I’ve used terms like “whitelisting” and “blacklisting” carelessly.

Hands up. I’ve done it. Do let me know where, and if I can I’ll do my best to fix it.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

19 comments on “My old-fashioned view on the terms “blacklist” and “whitelist””

  1. Blocklist has the advantage in that anything the had an acronym BL will still have the same acronym. Many organisation has spent money on domains that incorporate the letters BL and so moving to Deny List would not be feasible.

  2. Yes black hat hacker should be changed and as the article states people who have never experienced any racial sterotyping or have no clue about how words impact at a concious or subconcious level shouldn't really comment on this issue.

    1. Please don't comment on this issue. It makes me uncomfortable on an unconcious level, which you have no concept of understanding.

  3. Could have used

    Yes-list and No-list

    Or

    Welcome-list and Bad-list (to keep letters)

    Or

    Good-list and Bad-list

    There are many reasonable alternatives.

  4. Allow & Deny also work well for people who don't have English as a first language, avoids having to do a two-step mental translation of "letter string b l a c k" to a "colour in my preferred language", to interpret what that colour means with respect to an allowed or denied list of things.

    Interesting quick experiment:

    root@box:/# find etc -type f |grep allow
    etc/hosts.allow
    etc/apache2/mods-available/allowmethods.load

    root@box:/# find etc -type f |grep deny
    etc/hosts.deny
    etc/fail2ban/action.d/hostsdeny.conf

    root@box:/# find etc -type f |grep white
    etc/X11/cursors/whiteglass.theme

    root@box:/# find etc -type f |grep black
    etc/apport/blacklist.d/apport
    etc/apport/blacklist.d/firefox
    etc/apport/blacklist.d/README.blacklist
    etc/fail2ban/action.d/symbiosis-blacklist-allports.conf
    etc/modprobe.d/intel-microcode-blacklist.conf
    etc/modprobe.d/blacklist.conf
    etc/modprobe.d/blacklist-framebuffer.conf
    etc/modprobe.d/blacklist-modem.conf
    etc/modprobe.d/blacklist-firewire.conf
    etc/modprobe.d/blacklist-ath_pci.conf
    etc/modprobe.d/blacklist-rare-network.conf
    etc/modprobe.d/amd64-microcode-blacklist.conf
    etc/bindresvport.blacklist
    etc/java-14-openjdk/security/blacklisted.certs
    etc/gnome/menus.blacklist

    Looks as though we're pretty fond of black lists in Ubuntu

  5. Block List/Allow List is what I'm opting for; now we can whitewash our… oh wait ¯\_(ツ)_/¯

  6. I think things like this do more harm than good as it's making a race issue out of a completely non-racist situation. It's just contributing to political correctness fatigue and does nothing to move society forward with regard to actual racial injustice. To suggest that it is in some small way contributing to improving race relations just comes across as virtue signalling.

    That said, I do prefer the proposed terminology as I think it's more descriptive.

    1. The true measure of racial equality, is if a room full of business people of all races can use the terms blacklist/whitelist in their proper context without feeling uncomfortable about offending each other.
      If people are having to choose their words carefully, then it betrays a latent racism within themselves which they have to suppress.
      It's like the ex-smoker who gets more self righteous about others smoking near them.

  7. Deny and Allow are common sense and those who are stuck in the past should stop their own faux offence at what they see as 'political correctness'. It isn't. It's respect. We don't have images of black dolls on Robertson's jam anymore. Thank Goodness. Embrace the change.

  8. The words don't have origin in racial terms (as English.SE will tell you), and they are extremely common and well understood terms. Changing the wording may placate the 1% of users who incorrectly find these terms "offensive" and risk confusing a large % of users who find the other terms unintuitive or inaccurate.

  9. This is perfect, I agree with you completely and it also happens to describe what it means much more effectively – 'allow list' and 'deny list' are self explanatory which also helps normalise the language of infosec. Now, I'm just trying to find alternative terms for black box, white box and grey box – any ideas?

  10. > as the article states people who have never experienced any racial sterotyping or have no clue about how words impact at a concious or subconcious level shouldn't really comment on this issue.

    That would be fine if people who have never experienced any racial sterotyping weren't most of the people behind pushing the terminology change, and the people who purport to have a clue about "about how words impact at a concious or subconcious level " weren't self-appointed. Show me some evidence that your average black person cares about this and that it's not just hand-wringing white guilt behind this.

  11. This is the ultimate in 'cargo culting' your way to racial harmony. Are people seriously unable to tease apart the concept of whitelist=inclusive, blacklist=exclusive from people's skin colour?
    Are we now to completely redesign all our apps to choose a colour palette which doesn't overly favour the colour white?
    If you want to do something useful for racial equality, try and promote more BAME people entering the STEM subjects instead of changing language to try and hide any perceived racial bias.
    Utter ridiculousness.

Leave a Reply to John Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.