Tag Archives: security

What Is Your Firm’s UK Online Safety Act Story?

It’s time to revisit my August post entitled “Can There Be Too Much Encryption and Age Verification Regulation?” because the United Kingdom’s Online Safety Bill is now the Online Safety ACT.

Having passed, eventually, through the UK’s two houses of Parliament, the bill received royal assent (October 26)….

[A]dded in (to the Act) is a highly divisive requirement for messaging platforms to scan users’ messages for illegal material, such as child sexual abuse material, which tech companies and privacy campaigners say is an unwarranted attack on encryption.

From Wired.
By Adrian Pingstone – Transferred from en.wikipedia, Public Domain, https://commons.wikimedia.org/w/index.php?curid=112727

This not only opens up issues regarding encryption and privacy, but also specific identity technologies such as age verification and age estimation.

This post looks at three types of firms that are affected by the UK Online Safety Act, the stories they are telling, and the stories they may need to tell in the future. What is YOUR firm’s Online Safety Act-related story?

What three types of firms are affected by the UK Online Safety Act?

As of now I have been unable to locate a full version of the final final Act, but presumably the provisions from this July 2023 version (PDF) have only undergone minor tweaks.

Among other things, this version discusses “User identity verification” in 65, “Category 1 service” in 96(10)(a), “United Kingdom user” in 228(1), and a multitude of other terms that affect how companies will conduct business under the Act.

I am focusing on three different types of companies:

  • Technology services (such as Yoti) that provide identity verification, including but not limited to age verification and age estimation.
  • User-to-user services (such as WhatsApp) that provide encrypted messages.
  • User-to-user services (such as Wikipedia) that allow users (including United Kingdom users) to contribute content.

What types of stories will these firms have to tell, now that the Act is law?

Stories from identity verification services

From Yoti.

For ALL services, the story will vary as Ofcom decides how to implement the Act, but we are already seeing the stories from identity verification services. Here is what Yoti stated after the Act became law:

We have a range of age assurance solutions which allow platforms to know the age of users, without collecting vast amounts of personal information. These include:

  • Age estimation: a user’s age is estimated from a live facial image. They do not need to use identity documents or share any personal information. As soon as their age is estimated, their image is deleted – protecting their privacy at all times. Facial age estimation is 99% accurate and works fairly across all skin tones and ages.
  • Digital ID app: a free app which allows users to verify their age and identity using a government-issued identity document. Once verified, users can use the app to share specific information – they could just share their age or an ‘over 18’ proof of age.
From Yoti.

Stories from encrypted message services

From WhatsApp.

Not surprisingly, message encryption services are telling a different story.

MailOnline has approached WhatsApp’s parent company Meta for comment now that the Bill has received Royal Assent, but the firm has so far refused to comment.

Will Cathcart, Meta’s head of WhatsApp, said earlier this year that the Online Safety Act was the most concerning piece of legislation being discussed in the western world….

[T]o comply with the new law, the platform says it would be forced to weaken its security, which would not only undermine the privacy of WhatsApp messages in the UK but also for every user worldwide. 

‘Ninety-eight per cent of our users are outside the UK. They do not want us to lower the security of the product, and just as a straightforward matter, it would be an odd choice for us to choose to lower the security of the product in a way that would affect those 98 per cent of users,’ Mr Cathcart has previously said.

From Daily Mail.

Stories from services with contributed content

From Wikipedia.

And contributed content services are also telling their own story.

Companies, from Big Tech down to smaller platforms and messaging apps, will need to comply with a long list of new requirements, starting with age verification for their users. (Wikipedia, the eighth-most-visited website in the UK, has said it won’t be able to comply with the rule because it violates the Wikimedia Foundation’s principles on collecting data about its users.)

From Wired.

What is YOUR firm’s story?

All of these firms have shared their stories either before or after the Act became law, and those stories will change depending upon what Ofcom decides.

But what about YOUR firm?

Is your firm affected by the UK Online Safety Act, and the future implementation of the Act by Ofcom?

Do you have a story that you need to tell to achieve your firm’s goals?

Do you need an extra, experienced hand to help out?

Learn how Bredemarket can create content that drives results for your firm.

Click the image below.

Drive content results with Bredemarket Identity Firm Services.

Can There Be Too Much Encryption and Age Verification Regulation?

Designed by Freepik.

Approximately 2,700 years ago, the Greek poet Hesiod is recorded as saying “moderation is best in all things.” This applies to government regulations, including encryption and age verification regulations. As the United Kingdom’s House of Lords works through drafts of its Online Safety Bill, interested parties are seeking to influence the level of regulation.

The July 2023 draft of the Online Safety Bill

On July 25, 2023, Richard Allan of Regulate.Tech provided his assessment of the (then) latest draft of the Online Safety Bill that is going through the House of Lords.

House of Lords chamber, Palace of Westminster, London. By UK government – https://civilservicelocal.blog.gov.uk/2015/02/26/learning-about-the-workings-of-parliament/, OGL 3, https://commons.wikimedia.org/w/index.php?curid=61679038

In Allan’s assessment, he wondered whether the mandated encryption and age verification regulations would apply to all services, or just critical services.

Allan considered a number of services, but I’m just going to hone in on two of them: WhatsApp and Wikipedia.

The Online Safety Bill and WhatsApp

WhatsApp is owned by a large American company called Meta, which causes two problems for regulators in the United Kingdom (and in Europe):

  • Meta is a large company.
  • Meta is an American company.

WhatsApp itself causes another problem for UK regulators:

  • WhatsApp encrypts messages.

Because of these three truths, UK regulators are not necessarily inclined to play nice with WhatsApp, which may affect whether WhatsApp will be required to comply with the Online Safety Bill’s regulations.

Allan explains the issue:

One of the powers the Bill gives to OFCOM (the UK Office of Communications) is the ability to order services to deploy specific technologies to detect terrorist and child sexual exploitation and abuse content….

But there may be cases where a provider believes that the technology it is being ordered to deploy would break essential functionality of its service and so would prefer to leave the UK rather than accept compliance with the order as a condition of remaining….

If OFCOM does issue this kind of order then we should expect to see some encrypted services leave the UK market, potentially including very popular ones like WhatsApp and iMessage.

From https://www.regulate.tech/online-safety-bill-some-futures-25th-july-2023/

And this isn’t just speculation on Allan’s part. Will Cathcart has been complaining about the provisions of the draft bill for months, especially since it appears that WhatsApp encryption would need to be “dumbed down” for everybody to comply with regulations in the United Kingdom.

Speaking during a UK visit in which he will meet legislators to discuss the government’s flagship internet regulation, Will Cathcart, Meta’s head of WhatsApp, described the bill as the most concerning piece of legislation currently being discussed in the western world.

He said: “It’s a remarkable thing to think about. There isn’t a way to change it in just one part of the world. Some countries have chosen to block it: that’s the reality of shipping a secure product. We’ve recently been blocked in Iran, for example. But we’ve never seen a liberal democracy do that.

“The reality is, our users all around the world want security,” said Cathcart. “Ninety-eight per cent of our users are outside the UK. They do not want us to lower the security of the product, and just as a straightforward matter, it would be an odd choice for us to choose to lower the security of the product in a way that would affect those 98% of users.”

From https://www.theguardian.com/technology/2023/mar/09/whatsapp-end-to-end-encryption-online-safety-bill

In passing, the March Guardian article noted that WhatsApp requires UK users to be 16 years old. This doesn’t appear to be an issue for Meta, but could be an issue for another very popular online service.

The Online Safety Bill and Wikipedia

So how does the Online Safety Bill affect Wikipedia?

Wikipedia article about the Online Safety Bill as of August 1, 2023. https://en.wikipedia.org/wiki/Online_Safety_Bill

It depends on how the Online Safety Bill is implemented via the rulemaking process.

As in other countries, the true effects of legislation aren’t apparent until the government writes the rules that implement the legislation. It’s possible that the rulemaking will carve out an exemption allowing Wikipedia to NOT enforce age verification. Or it’s possible that Wikipedia will be mandated to enforce age verification for its writers.

Let’s return to Richard Allan.

If they do not (carve out exemptions) then there could be real challenges for the continued operation of some valuable services in the UK given what we know about the requirements in the Bill and the operating principles of services like Wikipedia.

For example, it would be entirely inconsistent with Wikipedia’s privacy principles to start collecting additional data about the age of their users and yet this is what will be expected from regulated services more generally.

From https://www.regulate.tech/online-safety-bill-some-futures-25th-july-2023/

Left unsaid is the same issue that affects encryption: age verification for Wikipedia may be required in the United Kingdom, but may not be required for other countries.

It’s no surprise that Jimmy Wales of Wikipedia has a number of problems with the Online Safety Bill. Here’s just one of them.

(Wales) used the example of Wikipedia, in which none of its 700 staff or contractors plays a role in content or in moderation.

Instead, the organisation relies on its global community to make democratic decisions on content moderation, and have contentious discussions in public.

By contrast, the “feudal” approach sees major platforms make decisions centrally, erratically, inconsistently, often using automation, and in secret.

By regulating all social media under the assumption that it’s all exactly like Facebook and Twitter, Wales said that authorities would impose rules on upstart competitors that force them into that same model.

From https://www.itpro.com/business-strategy/startups/370036/jimmy-wales-online-safety-bill-could-devastate-small-businesses

And the potential regulations that could be imposed on that “global community” would be anathema to Wikipedia.

Wikipedia will not comply with any age checks required under the Online Safety Bill, its foundation says.

Rebecca MacKinnon, of the Wikimedia Foundation, which supports the website, says it would “violate our commitment to collect minimal data about readers and contributors”.

From https://www.bbc.com/news/technology-65388255

Regulation vs. Privacy

One common thread between these two cases is that implementation of the regulations results in a privacy threat to the affected individuals.

  • For WhatsApp users, the privacy threat is obvious. If WhatsApp is forced to fully or partially disable encryption, or is forced to use an encryption scheme that the UK Government could break, then the privacy of every message (including messages between people outside the UK) would be threatened.
  • For Wikipedia users, anyone contributing to the site would need to undergo substantial identity verification so that the UK Government would know the ages of Wikipedia contributors.

This is yet another example of different government agencies working at cross purposes with each other, as the “catch the pornographers” bureaucrats battle with the “preserve privacy” advocates.

Meta, Wikipedia, and other firms would like the legislation to explicitly carve out exemptions for their firms and services. Opponents say that legislative carve outs aren’t necessary, because no one would ever want to regulate Wikipedia.

Yeah, and the U.S. Social Security Number isn’t an identificaiton number either. (Not true.)

Why ONT’s international flights depart from (but do not arrive at) Terminal 2, and why there is no Terminal 3

I learned some fun facts during Eren Cello’s presentation to the Greater Ontario Business Council this morning, and filed those in my brain along with some other facts that I have collected over the years.

Cello is the Director of Marketing and Communications for Ontario International Airport in Ontario, California. Which, incidentally, is not in Canada.

Ontario International Airport in the 1980s and 1990s

I first became aware of Ontario International Airport in October 1983, when I flew in from Portland, Oregon for a job interview. Back in those days, you didn’t walk from the airplane straight into the terminal. Instead, you walked to a flight of stairs, went down the stairs, then walked across the runway to enter the terminal.

As Ontario and the surrounding area grew over the years, the then-owner of Ontario International Airport (Los Angeles World Airports) decided that an ambitious expansion of the airport was in order, including modern, multi-level terminals with check-in and baggage claim on the first floor, and the gates and shops on the second floor. Instead of renovating the existing terminal, LAWA decided to build two brand new terminals. These terminals were opened in 1998 and were designated “Terminal 2” and “Terminal 4.” As soon as traffic increased to the required level, LAWA would go ahead and build Terminal 3 between the two terminals.

And the old terminal, now “Terminal 1,” was closed.

Ontario International Airport Terminal 1 as of September 2021, 20 years after airport traffic changed forever.

It sounded like a sensible design and a sensible plan. What could go wrong?

Ontario International Airport in the 2000s and 2010s

Well, three years after Terminals 2 and 4 opened, 9/11 happened. This had two immediate effects.

First, the anticipated increase in passenger traffic needed to open Terminal 3 didn’t happen.

There were other alleged reasons for this which eventually led to the separation of Ontario International Airport from LAWA, but those are beyond the scope of this post. I wrote about them in a personal blog at the time; here’s an example.

Second, increased security meant that the second floors of Terminals 2 and 4 were accessible to passengers only.

The days of walking to the gate to send off departing passengers and greet arriving ones were gone forever.

And for all of those businesses that were located on the second floors of the two terminals, their customer base was cut dramatically, since non-ticketed individuals were confined to the first floors of the terminals. Until recently, those first floors only included the random vending machine to serve visitors. Only now is the situation starting to improve.

But Ontario International Airport survived 9/11, and has survived COVID (although traffic is still only at 93% of 2019 levels).

According to Cello, Ontario International Airport now serves 11 passenger airlines with nonstop flights to destinations in the United States, Mexico, Central America, and Asia.

The second most fascinating fun fact

But of all the fun facts I learned today, the second most fascinating fun fact was the reason why the international airlines are based in Terminal 2 rather than Terminal 4. No, it’s not because Southwest has so many flights in Terminal 4 that there is no room for anyone else. Actually, parts of Terminal 4 are closed; if you see a film with someone at Gate 412, you know the film is staged. See 15:08 of this video.

The reason why the international airlines are based in Terminal 2 is because that terminal is the only one designed for the large wide-body jets that go to international destinations.

Southwest Airlines, of course, has a different operating model that doesn’t need a lot of wide-body jets.

International services in the future and in the past

Incidentally, there are both short-term and long-term plans to improve the facilities for international passengers, who currently can depart from Terminal 2 but have to arrive at a completely separate “international arrivals terminal” (reviews) and go through security there.

And if you’re wondering why Ontario International Airport doesn’t have optimum service for international passengers, the “international” in the airport’s designation merely means that there is at least one existing flight to an international destination. For Ontario, trans-Pacific cargo flights existed back in the 1940s, and the first passenger flight from an international destination occurred (according to Wikipedia) on May 18, 1946, when a Pacific Overseas Airlines flight arrived from Shanghai. (This was the Pacific Overseas Airlines based in Ontario, California, not the Pacific Overseas Airlines in Siam. The Ontario company appears to have only been in existence for a year or so.)

Of course, back in 1946, international passengers didn’t have great expectations. Leaving the plane by going down a flight of stairs was the normal mode of operations; none of this walking from the airplane straight into the airport building.

The Beatles arrive at the former Idlewild Airport on February 7, 1964. Note the stairway in the background. By United Press International, photographer unknown – This image is available from the United States Library of Congress’s Prints and Photographs division under the digital ID cph.3c11094.This tag does not indicate the copyright status of the attached work. A normal copyright tag is still required. See Commons: Licensing for more information., Public Domain, https://commons.wikimedia.org/w/index.php?curid=4532407

The MOST fascinating fun fact

Oh, and in case you’re wondering why the wide-body jet service is only the second most fascinating fun fact, I learned something else today.

The “Paw Squad” at Ontario International Airport has their own trading cards!

From https://twitter.com/flyONT/status/1445797568135393285

A view of 9/11 from the 9/11 Commission’s border counsel

There are different ways to look at 9/11. I’m familiar with the reconstructions of Vice President Cheney’s actions in Washington on that day, and of President Bush as he flew around the country on that day (the only plane in the sky).

But what about the activities of the hijackers on that day, and in the months preceding that day?

All of this was examined by the 9/11 Commission. As a result of its investigation, this body made significant recommendations, some of which have only taken nearly two decades to implement, assuming they ARE implemented as (re) scheduled.

By Cleanup by Andrew_pmk (talk · contribs); straightened and cropped by Holek (talk · contribs) – http://www.9-11commission.gov/press/911report_cover_HIGHRES.jpg, Public Domain, https://commons.wikimedia.org/w/index.php?curid=2376314

Janice Kephart was border counsel to the 9/11 Commission, and has been involved in homeland security ever since that time. She is currently CEO and Owner of Identity Strategy Partners.

As the 20th anniversary of 9/11 approaches, Kephart has released a documentary. As she explains, the documentary contains a wealth of information from the 9/11 Commission’s investigation of the hijackers, much of which was never officially released. Her hope:

If we are never to forget, we must educate. That is the purpose of this documentary. It is history, it is legacy, from the person who knows the details of the hijacker’s border story and has continued to live it for the past 20 years. I hope it resonates and educates.

When listening to Kephart’s documentary, keep in mind how much our world has changed since 9/11. Yes, you went through a security screening before you boarded a plane, but it was nothing like the security screenings that we’ve gotten used to in the last 20 years. Before 9/11, you could walk all the way up to the gate to send off departing passengers or greet arriving ones. And identity documents were not usually cross-checked against biometric databases to make sure that applicants were telling the truth.

I personally was not as familiar with the stories of the hijackers as I was with the stories of Bush and Cheney. The documentary provides a wealth of detail on the hijackers. (Helpful hint: don’t be afraid to pause the video when necessary. There’s a lot of visual information to absorb.)

Toward the end of the documentary, Kephart concentrates on Mohamed Atta’s return to the U.S. in January 2001, when his tourist visa had already expired and his student visa application was still pending. Kephart notes that Atta shouldn’t have been allowed back into the country, but that he was let in anyway. The details regarding Atta’s January 2001 entry are discussed in detail in a separate report (see section III.B).

(Incidentally, Atta’s student visa application wasn’t approved until July 2001, and his flight school wasn’t notified until 2002.)

Kephart wonders what might have happened if Mohamed Atta had been denied re-entry into the United States in January 2001 because of the visa irregularities. Since Atta was the ringleader and the driving force behind the attack, would the denial of entry have delayed or even terminated the 9/11 attack plans?

If you want to view the documentary, it is hosted on YouTube.

Words matter, or the latest from the National Institute of Standards and Technology on problematic security terms

(Alternate title: Why totem pole blackmail is so left field.)

I want to revisit a topic I last addressed in December, in a post entitled “Words matter, or the latest from the Security Industry Association on problematic security terms.”

If you recall, that post mentioned the realization in the technology community that certain long-standing industry terms were no longer acceptable to many technologists. My post cited the Security Industry Association’s recommendations for eliminating language bias, such as replacing the term “slave” (as in master/slave) with the term “secondary” or “responder.” The post also mentions other entities, such as Amazon and Microsoft, who are themselves trying to come up with more inclusive terms.

Now in this particular case, I’m not that bent out of shape over the fact that multiple entities are coming up with multiple standards for inclusive language. (As you know, I feel differently about the plethora of standards for vaccine certificates.) I’ll grant that there might be a bit of confusion when one entity refers to a blocklist, another a block list, and a third a deny list (various replacements for the old term “blacklist”), but the use of different terms won’t necessarily put you on a deny list (or whatever) to enter an airport.

Well, one other party has weighed in on the inclusive language debate – not to set its own standards, but to suggest how its employees should participate in general standards discussions.

That entity is the National Institute of Standards and Technology (NIST). I’ve mentioned NIST before in other contexts. But NIST just announced its contribution to the inclusive language discussion.

Our choice of language — what we say and how we say it — can have unanticipated effects on our audience, potentially conveying messages other than those we intend. In an effort to help writers express ideas in language that is both clear and welcoming to all readers, the National Institute of Standards and Technology (NIST) has released new guidance on effective wording in technical standards.

The point about “unanticipated effects” is an interesting point. Those of us who have been in tech for a while have an understanding of what the term “blacklist” means, but what of the new person who sees the term for the first time?

So, since NIST employees participate in technical standards bodies, it is now publicly sharing its internal guidance as NISTIR 8366, Guidance for NIST Staff on Using Inclusive Language in Documentary Standards. This document is available in PDF form at https://doi.org/10.6028/NIST.IR.8366.

It’s important to note that this document is NOT a standard, and some parts of this “guidance” document aren’t even guidance. For example, section 4.1 begins as follows:

The following is taken from the ‘Inclusive Language’ section of the April 2021 version of the NIST Technical Series Publications Author Instructions. It is not official NIST guidance and will be updated periodically based on user feedback.

The need to periodically update is because any type of guidance regarding inclusive language will change over time. (It will also change according to culture, but since NIST is a United States government agency, its guidance in this particular case is focused on U.S. technologists.)

The major contribution of the NIST guidance is to explain WHY inclusive language is desirable. In addition to noting the “unanticipated effects” of our choice of language, NIST documents five key benefits of inclusive language.

1. avoids false assumptions and permits more precise wording,

2. conveys respect to those who listen or read,

3. maintains neutrality, avoiding unpleasant emotions or connotations brought on by more divisive language (e.g., the term ‘elderly’ may have different connotations based on the age of an employee),

4. removes colloquialisms that are exclusive or usually not well understood by all (e.g., drink the Kool-Aid), and

5. enables all to feel included in the topic discussed.

Let me comment on item 4 above. I don’t know how many people know that the term “drink the Kool-Aid” originated after the Guyana murders of Congressman Dan Ryan and others, and the subsequent mass suicides of People’s Temple members, including leader Jim Jones.

Rev. Jim Jones at an anti-eviction rally Sunday, January 16, 1977 in front of the International Hotel, Kearny and Jackson Streets, San Francisco. By Nancy Wong – Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=91003548

They committed suicide by drinking a cyanide-laced drink which may or may not have been Kool-Aid. The entire history (not for the squeamish) can be found here. But even in 2012, many people didn’t know that history, so why use the colloquialism?

So that’s the guidance. But for those keeping score on specific terms, the current guidance document mentions the a number of suggestions, either from NIST or other entities. I’m going to concentrate on three terms that I haven’t mentioned previously.

  • Change “blackmail” to “extortion.”
  • Change “way out in left field” to “made very inaccurate measurements.” (Not only do some people not understand baseball terminology, but the concepts of “left” and “right” are sometimes inapplicable to the situation that is under discussion.)
  • Change “too low on the primary totem pole” to “low priority.” (This is also concise.)

So these discussions continue, sometimes with controversy, sometimes without. But all technologists should be aware that the discussions are occurring.

Words matter, or the latest from the Security Industry Association on problematic security terms

I may have accidentally hit upon a post series.

In my previous installment of “Words Matter,” published a little over a month ago on November 12, I described how Simon A. Cole made a distinction between words such as “decision,” “interpretation,” and “findings” when talking about how forensic results are described. The passage of time, and the perceptions that change over time, affect how words are used.

There are other examples of how perceptions change over time. Those of us who were alive in the 1960s may remember how the cigarette advertisement phrase “you’ve come a long way, baby” was initially perceived as a liberating, feminist phrase.

Similarly, those of us who were alive in the 1960s may remember that the Washington Redskins were infamous for being the last NFL team in the modern era to add a black player to its roster. The fact that the Washington Redskins were the Washington REDSKINS was not a matter of concern for most people. (Now is the time for a confession: even today, I own a Washington Redskins keychain and a Washington Redskins cup. But I don’t flaunt my ownership of these items.)

Let’s move to the tech world, in which terms that were OK with most people a few years ago are now questionable. The Security Industry Association has compiled a list of some common security terms which, in the SIA’s view, exhibit “language bias.”

Now I’ll be the first to admit that the SIA’s view is not a universal view. There are a number of people who would reply “get over it” if someone objected to one of these terms. (At the same time, there are a number of people who wonder why these terms were ever adopted in the first place.)

I’ll confess that, with the exception of master/slave, I hadn’t really thought about the offensiveness of these terms. And I wondered if the proposed replacement terms would prove to be clunky and unusable.

Well, in my opinion, the SIA did a pretty good job in proposing some new terms that are workable without being offensive. Take the SIA’s proposed replacement for master/slave, for example. The SIA’s proposal to remove the “language bias” that references slavery in the United States and other nations is to substitute the word “primary” or “commander” for “master,” and “secondary” or “responder” for “slave.” The replacement terms convey the security meaning well.

Here are some other proposed terminology changes from the SIA:

  • Change “blacklist” to “blocklist.” Heck, this is just a one letter change.
  • Change “whitelist” to “allowlist.” Perhaps it seems a teeny bit clumsy on first reading, but this would definitely work.
  • Change “black hat” and “white hat” to “bad hat” and “good hat,” or alternatively to “malicious hacker” and “ethical hacker.” Incidentally, the alternative terminology effectively dodges another issue that is unrelated to race or sex bias, namely whether “hacker” and “malicious hacker” are synonyms.
  • For connectors, change “male” and “female” to “plug” and “socket.” This probably conveys the meaning better than the original terms did.

Now the Security Industry Association is just one entity, and I’m sure that other entities are coming up with other terms that replace the older terms. As of today, Wikipedia lists 11 different replacement pairs for master/slave alone, including primary/secondary (BIND), primary/replica (Amazon and Microsoft, among others), provider/consumer (OpenLDAP), and others. There are also multiple alternatives to blacklist/whitelist, including the aforementioned blocklist/allowlist, and other pairs such as deny list/allow list and block list/allow list (with spaces).

All of these suggestions are going to float around and compete with each other, and various trade associations, governments, and other entities are going to adopt one or more of these, causing people who do business with these associations/governments/entities to adopt them also. And there will be the usual debate in those places where standards, like sausages, are made.

After all of these standards battles are complete, which set of terms will prevail?

That’s easy.

LOS ANGELES – MARCH 14: Guest arrives for the 2019 iHeartRadio Music Awards on March 14, 2019 in Los Angeles, California. (Photo by Glenn Francis/Pacific Pro Digital Photography). By Toglenn (Glenn Francis) – This file has been extracted from another file: Taylor Swift 2 – 2019 by Glenn Francis.jpg, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=81523364

The terminology adopted by Taylor Swift will be the terminology that will be adopted by the rest of the world.

Sorry, SIA, but the general population cares much more about what Taylor Swift believes. Perhaps if SIA changed its acronym to TAYLOR, things would be different.

Swift (not to be confused with the Society for Worldwide Interbank Financial Telecommunication) is today’s Oprah Winfrey, and unlike Winfrey is referenced by cybersecurity practitioners.

And she can write a catchy chorus.