Words matter, or the latest from the Security Industry Association on problematic security terms

I may have accidentally hit upon a post series.

In my previous installment of “Words Matter,” published a little over a month ago on November 12, I described how Simon A. Cole made a distinction between words such as “decision,” “interpretation,” and “findings” when talking about how forensic results are described. The passage of time, and the perceptions that change over time, affect how words are used.

There are other examples of how perceptions change over time. Those of us who were alive in the 1960s may remember how the cigarette advertisement phrase “you’ve come a long way, baby” was initially perceived as a liberating, feminist phrase.

Similarly, those of us who were alive in the 1960s may remember that the Washington Redskins were infamous for being the last NFL team in the modern era to add a black player to its roster. The fact that the Washington Redskins were the Washington REDSKINS was not a matter of concern for most people. (Now is the time for a confession: even today, I own a Washington Redskins keychain and a Washington Redskins cup. But I don’t flaunt my ownership of these items.)

Let’s move to the tech world, in which terms that were OK with most people a few years ago are now questionable. The Security Industry Association has compiled a list of some common security terms which, in the SIA’s view, exhibit “language bias.”

Now I’ll be the first to admit that the SIA’s view is not a universal view. There are a number of people who would reply “get over it” if someone objected to one of these terms. (At the same time, there are a number of people who wonder why these terms were ever adopted in the first place.)

I’ll confess that, with the exception of master/slave, I hadn’t really thought about the offensiveness of these terms. And I wondered if the proposed replacement terms would prove to be clunky and unusable.

Well, in my opinion, the SIA did a pretty good job in proposing some new terms that are workable without being offensive. Take the SIA’s proposed replacement for master/slave, for example. The SIA’s proposal to remove the “language bias” that references slavery in the United States and other nations is to substitute the word “primary” or “commander” for “master,” and “secondary” or “responder” for “slave.” The replacement terms convey the security meaning well.

Here are some other proposed terminology changes from the SIA:

  • Change “blacklist” to “blocklist.” Heck, this is just a one letter change.
  • Change “whitelist” to “allowlist.” Perhaps it seems a teeny bit clumsy on first reading, but this would definitely work.
  • Change “black hat” and “white hat” to “bad hat” and “good hat,” or alternatively to “malicious hacker” and “ethical hacker.” Incidentally, the alternative terminology effectively dodges another issue that is unrelated to race or sex bias, namely whether “hacker” and “malicious hacker” are synonyms.
  • For connectors, change “male” and “female” to “plug” and “socket.” This probably conveys the meaning better than the original terms did.

Now the Security Industry Association is just one entity, and I’m sure that other entities are coming up with other terms that replace the older terms. As of today, Wikipedia lists 11 different replacement pairs for master/slave alone, including primary/secondary (BIND), primary/replica (Amazon and Microsoft, among others), provider/consumer (OpenLDAP), and others. There are also multiple alternatives to blacklist/whitelist, including the aforementioned blocklist/allowlist, and other pairs such as deny list/allow list and block list/allow list (with spaces).

All of these suggestions are going to float around and compete with each other, and various trade associations, governments, and other entities are going to adopt one or more of these, causing people who do business with these associations/governments/entities to adopt them also. And there will be the usual debate in those places where standards, like sausages, are made.

After all of these standards battles are complete, which set of terms will prevail?

That’s easy.

LOS ANGELES – MARCH 14: Guest arrives for the 2019 iHeartRadio Music Awards on March 14, 2019 in Los Angeles, California. (Photo by Glenn Francis/Pacific Pro Digital Photography). By Toglenn (Glenn Francis) – This file has been extracted from another file: Taylor Swift 2 – 2019 by Glenn Francis.jpg, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=81523364

The terminology adopted by Taylor Swift will be the terminology that will be adopted by the rest of the world.

Sorry, SIA, but the general population cares much more about what Taylor Swift believes. Perhaps if SIA changed its acronym to TAYLOR, things would be different.

Swift (not to be confused with the Society for Worldwide Interbank Financial Telecommunication) is today’s Oprah Winfrey, and unlike Winfrey is referenced by cybersecurity practitioners.

And she can write a catchy chorus.