My old-fashioned view on the terms “blacklist” and “whitelist”

My old-fashioned opinion on the terms "blacklist" and "whitelist"

The UK’s National Cyber Security Centre (NCSC) has said that it will be changing the wording it uses on its website.

In short, it says it will no longer be using the terms “whitelist” and “blacklist” to describe things that you might want to allow or block on your computers:

“You may not see why this matters. If you’re not adversely affected by racial stereotyping yourself, then please count yourself lucky. For some of your colleagues (and potential future colleagues), this really is a change worth making. From now on, the NCSC will use ‘allow list’ and ‘deny list’ in place of ‘whitelist’ and ‘blacklist’ on our website. Which, in fact, is clearer and less ambiguous.”

The announcement cause a predictable furore on social media with many sharing their opinion, the politer of which described the move as “political correctness gone mad”.

Others invoked images of touchy-feely social justice warriors virtue-signalling and wringing their handkerchiefs over whether an article about a web filter might offend people depending on their race.

Sign up to our free newsletter.
Security news, advice, and tips.

Well, call me old-fashioned if you like, but I think words matter. As does decency and respect for others. In fact I think that matters more than clinging on to phrases that might have been used for years and years – as though a history of past usage somehow makes certain phrases and terms acceptable or desirable.

The NCSC says it will use phrases “allow list” and “deny list” in future, and that’s fine with me.

(Hey, “deny list” even uses one less character than “black list”! When there’s a global byte shortage going on, what’s not to love with that!?)

Years ago I saw some suggest the use of “block list” instead of “blacklist”, but I don’t think that caught on widely.

Maybe “allow list” and “deny list” won’t become the norm either, but I think we should all do our little bit to try to help move away from old terms which equate good things with white and bad things with black.

Furthermore, you don’t have to explain what “allow list” and “deny list” mean – it’s clear language which is self-explanatory.

Frankly, I don’t see any downsides.

So I’m going to try to follow in the NCSC’s footsteps on this one.

And I’m sure there are articles on my website or things I’ve said in the past where I’ve used terms like “whitelisting” and “blacklisting” carelessly.

Hands up. I’ve done it. Do let me know where, and if I can I’ll do my best to fix it.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

22 comments on “My old-fashioned view on the terms “blacklist” and “whitelist””

  1. pob

    Blocklist has the advantage in that anything the had an acronym BL will still have the same acronym. Many organisation has spent money on domains that incorporate the letters BL and so moving to Deny List would not be feasible.

  2. David Esp
  3. David

    How are you now going to refer to a Black-hat hacker like Dustin Cook?

  4. OldMan

    Is this what the world has come to? I am clearly in bizarro land.

  5. Kal

    Yes black hat hacker should be changed and as the article states people who have never experienced any racial sterotyping or have no clue about how words impact at a concious or subconcious level shouldn't really comment on this issue.

    1. Paul Minshall · in reply to Kal

      Please don't comment on this issue. It makes me uncomfortable on an unconcious level, which you have no concept of understanding.

  6. Roger

    Could have used

    Yes-list and No-list

    Or

    Welcome-list and Bad-list (to keep letters)

    Or

    Good-list and Bad-list

    There are many reasonable alternatives.

  7. Adrian

    Allow & Deny also work well for people who don't have English as a first language, avoids having to do a two-step mental translation of "letter string b l a c k" to a "colour in my preferred language", to interpret what that colour means with respect to an allowed or denied list of things.

    Interesting quick experiment:

    root@box:/# find etc -type f |grep allow
    etc/hosts.allow
    etc/apache2/mods-available/allowmethods.load

    root@box:/# find etc -type f |grep deny
    etc/hosts.deny
    etc/fail2ban/action.d/hostsdeny.conf

    root@box:/# find etc -type f |grep white
    etc/X11/cursors/whiteglass.theme

    root@box:/# find etc -type f |grep black
    etc/apport/blacklist.d/apport
    etc/apport/blacklist.d/firefox
    etc/apport/blacklist.d/README.blacklist
    etc/fail2ban/action.d/symbiosis-blacklist-allports.conf
    etc/modprobe.d/intel-microcode-blacklist.conf
    etc/modprobe.d/blacklist.conf
    etc/modprobe.d/blacklist-framebuffer.conf
    etc/modprobe.d/blacklist-modem.conf
    etc/modprobe.d/blacklist-firewire.conf
    etc/modprobe.d/blacklist-ath_pci.conf
    etc/modprobe.d/blacklist-rare-network.conf
    etc/modprobe.d/amd64-microcode-blacklist.conf
    etc/bindresvport.blacklist
    etc/java-14-openjdk/security/blacklisted.certs
    etc/gnome/menus.blacklist

    Looks as though we're pretty fond of black lists in Ubuntu

  8. Jayaram Raman

    Block List/Allow List is what I'm opting for; now we can whitewash our… oh wait ¯\_(ツ)_/¯

  9. John

    I think things like this do more harm than good as it's making a race issue out of a completely non-racist situation. It's just contributing to political correctness fatigue and does nothing to move society forward with regard to actual racial injustice. To suggest that it is in some small way contributing to improving race relations just comes across as virtue signalling.

    That said, I do prefer the proposed terminology as I think it's more descriptive.

    1. Paul Minshall · in reply to John

      The true measure of racial equality, is if a room full of business people of all races can use the terms blacklist/whitelist in their proper context without feeling uncomfortable about offending each other.
      If people are having to choose their words carefully, then it betrays a latent racism within themselves which they have to suppress.
      It's like the ex-smoker who gets more self righteous about others smoking near them.

    2. Philip Nash · in reply to John

      I think this is a red herring. A lot of white noise by a lot of red-blooded, red nosed white trash trying to give us a black-eye. It is yellow journalism masquerading as lily-white red-baiting by a bunch of redcoats. It is white meat for the red army of black friars who have red-eye. Well you have crossed a red line for the white-collar folks in the black market and I, as a red-blooded Redskin, intend to write a black comedy about you yellow bellied white elephants. My finances are in the black, never in the red and I take my coffee white not black.

  10. peter laycock

    Deny and Allow are common sense and those who are stuck in the past should stop their own faux offence at what they see as 'political correctness'. It isn't. It's respect. We don't have images of black dolls on Robertson's jam anymore. Thank Goodness. Embrace the change.

    1. Paul Minshall · in reply to peter laycock

      Political correctness is all about demonstrating 'faux' offence. Try following your own advice.

  11. Carl

    You've just blown your credibility- this article is ridiculous.

  12. jack

    The words don't have origin in racial terms (as English.SE will tell you), and they are extremely common and well understood terms. Changing the wording may placate the 1% of users who incorrectly find these terms "offensive" and risk confusing a large % of users who find the other terms unintuitive or inaccurate.

  13. Grainne

    This is perfect, I agree with you completely and it also happens to describe what it means much more effectively – 'allow list' and 'deny list' are self explanatory which also helps normalise the language of infosec. Now, I'm just trying to find alternative terms for black box, white box and grey box – any ideas?

  14. Rog S.

    > as the article states people who have never experienced any racial sterotyping or have no clue about how words impact at a concious or subconcious level shouldn't really comment on this issue.

    That would be fine if people who have never experienced any racial sterotyping weren't most of the people behind pushing the terminology change, and the people who purport to have a clue about "about how words impact at a concious or subconcious level " weren't self-appointed. Show me some evidence that your average black person cares about this and that it's not just hand-wringing white guilt behind this.

    1. Paul Minshall · in reply to Rog S.

      I'm looking at this on a computer screen with a white background. Should I switch to dark mode to avoid offending somebody?

  15. Paul M

    This is the ultimate in 'cargo culting' your way to racial harmony. Are people seriously unable to tease apart the concept of whitelist=inclusive, blacklist=exclusive from people's skin colour?
    Are we now to completely redesign all our apps to choose a colour palette which doesn't overly favour the colour white?
    If you want to do something useful for racial equality, try and promote more BAME people entering the STEM subjects instead of changing language to try and hide any perceived racial bias.
    Utter ridiculousness.

  16. Charles Kingston

    I could not disagree more. All we are doing is empowering those who claim offense (in earnest or otherwise) to drive another nail in the coffin of free speech. To eliminate free speech is to eliminate freedom of conscience, which is the single most fundamental human right that exists. Whether someone of color has a uniquely different experience from beige people is unknowable, since nobody has lived his/her entire life in either states. Saying, "you can't comment because you aren't part of my group" is politically powerful but logically inept, unless you believe that the self-proclaimed victims are omniscient by virtue of some form of woke magic. More importantly, rights are not some bizarre trump card that allow me to force someone else to behave in a way that makes me more comfortable. Rights are about the individual freedom we are each supposed to be born with, and without which, democracy and free society are impossible. We can all agree that we aspire to build a better future where we all honor one another, but using political bullying, and pathetically indefensible logic, to enforce speech is the horrifying opposite of that vision, regardless of the warm, self-righteous feeling it may give some in the moment.

  17. Johnnyjazz

    Then I guess they should also change the name of the White House. Any takers? "The inclusive color-spectrum house." Yeah. That's a good one. Won't offend anybody.

Leave a Reply to Paul Minshall Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.