UK NCSC to stop using ‘whitelist’ and ‘blacklist’ due to racial stereotyping

The UK government’s cyber-security agency said this week it would stop using “whitelist” and “blacklist” due to stigma and racial stereotyping surrounding the two terms.

Instead, the UK National Cyber Security Centre said that going forward, it would use the terms “allow list” and “deny list” instead of the two.

“It’s fairly common to say whitelisting and blacklisting to describe desirable and undesirable things in cyber security,” said Emma W., Head of Advice and Guidance at the NCSC.

“However, there’s an issue with the terminology. It only makes sense if you equate white with ‘good, permitted, safe’ and black with ‘bad, dangerous, forbidden’. There are some obvious problems with this,” she added.

“So in the name of helping to stamp out racism in cyber security, we will avoid this casually pejorative wording on our website in the future.”

The NCSC exec said the agency decided to stop using the two terms after a request from an NCSC customer.

The concern that continued use of the two terms could prolong racial stereotypes has been brought up before by the IT community in past published academic journals.

The issue was also a talking point inside Chromium, the open-source browser engine at the base of Chrome, Edge, Vivaldi, Opera, Brave, and many other modern-day web browsers. Microsoft engineers asked, and Google engineers agreed to stop using the whitelist and blacklist terms.

“No, it’s not the biggest issue in the world – but to borrow a slogan from elsewhere: every little helps,” the NCSC said.