Words matter, or the latest from the National Institute of Standards and Technology on problematic security terms

(Alternate title: Why totem pole blackmail is so left field.)

I want to revisit a topic I last addressed in December, in a post entitled “Words matter, or the latest from the Security Industry Association on problematic security terms.”

If you recall, that post mentioned the realization in the technology community that certain long-standing industry terms were no longer acceptable to many technologists. My post cited the Security Industry Association’s recommendations for eliminating language bias, such as replacing the term “slave” (as in master/slave) with the term “secondary” or “responder.” The post also mentions other entities, such as Amazon and Microsoft, who are themselves trying to come up with more inclusive terms.

Now in this particular case, I’m not that bent out of shape over the fact that multiple entities are coming up with multiple standards for inclusive language. (As you know, I feel differently about the plethora of standards for vaccine certificates.) I’ll grant that there might be a bit of confusion when one entity refers to a blocklist, another a block list, and a third a deny list (various replacements for the old term “blacklist”), but the use of different terms won’t necessarily put you on a deny list (or whatever) to enter an airport.

Well, one other party has weighed in on the inclusive language debate – not to set its own standards, but to suggest how its employees should participate in general standards discussions.

That entity is the National Institute of Standards and Technology (NIST). I’ve mentioned NIST before in other contexts. But NIST just announced its contribution to the inclusive language discussion.

Our choice of language — what we say and how we say it — can have unanticipated effects on our audience, potentially conveying messages other than those we intend. In an effort to help writers express ideas in language that is both clear and welcoming to all readers, the National Institute of Standards and Technology (NIST) has released new guidance on effective wording in technical standards.

The point about “unanticipated effects” is an interesting point. Those of us who have been in tech for a while have an understanding of what the term “blacklist” means, but what of the new person who sees the term for the first time?

So, since NIST employees participate in technical standards bodies, it is now publicly sharing its internal guidance as NISTIR 8366, Guidance for NIST Staff on Using Inclusive Language in Documentary Standards. This document is available in PDF form at https://doi.org/10.6028/NIST.IR.8366.

It’s important to note that this document is NOT a standard, and some parts of this “guidance” document aren’t even guidance. For example, section 4.1 begins as follows:

The following is taken from the ‘Inclusive Language’ section of the April 2021 version of the NIST Technical Series Publications Author Instructions. It is not official NIST guidance and will be updated periodically based on user feedback.

The need to periodically update is because any type of guidance regarding inclusive language will change over time. (It will also change according to culture, but since NIST is a United States government agency, its guidance in this particular case is focused on U.S. technologists.)

The major contribution of the NIST guidance is to explain WHY inclusive language is desirable. In addition to noting the “unanticipated effects” of our choice of language, NIST documents five key benefits of inclusive language.

1. avoids false assumptions and permits more precise wording,

2. conveys respect to those who listen or read,

3. maintains neutrality, avoiding unpleasant emotions or connotations brought on by more divisive language (e.g., the term ‘elderly’ may have different connotations based on the age of an employee),

4. removes colloquialisms that are exclusive or usually not well understood by all (e.g., drink the Kool-Aid), and

5. enables all to feel included in the topic discussed.

Let me comment on item 4 above. I don’t know how many people know that the term “drink the Kool-Aid” originated after the Guyana murders of Congressman Dan Ryan and others, and the subsequent mass suicides of People’s Temple members, including leader Jim Jones.

Rev. Jim Jones at an anti-eviction rally Sunday, January 16, 1977 in front of the International Hotel, Kearny and Jackson Streets, San Francisco. By Nancy Wong – Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=91003548

They committed suicide by drinking a cyanide-laced drink which may or may not have been Kool-Aid. The entire history (not for the squeamish) can be found here. But even in 2012, many people didn’t know that history, so why use the colloquialism?

So that’s the guidance. But for those keeping score on specific terms, the current guidance document mentions the a number of suggestions, either from NIST or other entities. I’m going to concentrate on three terms that I haven’t mentioned previously.

  • Change “blackmail” to “extortion.”
  • Change “way out in left field” to “made very inaccurate measurements.” (Not only do some people not understand baseball terminology, but the concepts of “left” and “right” are sometimes inapplicable to the situation that is under discussion.)
  • Change “too low on the primary totem pole” to “low priority.” (This is also concise.)

So these discussions continue, sometimes with controversy, sometimes without. But all technologists should be aware that the discussions are occurring.

Words matter, or the latest from the Security Industry Association on problematic security terms

I may have accidentally hit upon a post series.

In my previous installment of “Words Matter,” published a little over a month ago on November 12, I described how Simon A. Cole made a distinction between words such as “decision,” “interpretation,” and “findings” when talking about how forensic results are described. The passage of time, and the perceptions that change over time, affect how words are used.

There are other examples of how perceptions change over time. Those of us who were alive in the 1960s may remember how the cigarette advertisement phrase “you’ve come a long way, baby” was initially perceived as a liberating, feminist phrase.

Similarly, those of us who were alive in the 1960s may remember that the Washington Redskins were infamous for being the last NFL team in the modern era to add a black player to its roster. The fact that the Washington Redskins were the Washington REDSKINS was not a matter of concern for most people. (Now is the time for a confession: even today, I own a Washington Redskins keychain and a Washington Redskins cup. But I don’t flaunt my ownership of these items.)

Let’s move to the tech world, in which terms that were OK with most people a few years ago are now questionable. The Security Industry Association has compiled a list of some common security terms which, in the SIA’s view, exhibit “language bias.”

Now I’ll be the first to admit that the SIA’s view is not a universal view. There are a number of people who would reply “get over it” if someone objected to one of these terms. (At the same time, there are a number of people who wonder why these terms were ever adopted in the first place.)

I’ll confess that, with the exception of master/slave, I hadn’t really thought about the offensiveness of these terms. And I wondered if the proposed replacement terms would prove to be clunky and unusable.

Well, in my opinion, the SIA did a pretty good job in proposing some new terms that are workable without being offensive. Take the SIA’s proposed replacement for master/slave, for example. The SIA’s proposal to remove the “language bias” that references slavery in the United States and other nations is to substitute the word “primary” or “commander” for “master,” and “secondary” or “responder” for “slave.” The replacement terms convey the security meaning well.

Here are some other proposed terminology changes from the SIA:

  • Change “blacklist” to “blocklist.” Heck, this is just a one letter change.
  • Change “whitelist” to “allowlist.” Perhaps it seems a teeny bit clumsy on first reading, but this would definitely work.
  • Change “black hat” and “white hat” to “bad hat” and “good hat,” or alternatively to “malicious hacker” and “ethical hacker.” Incidentally, the alternative terminology effectively dodges another issue that is unrelated to race or sex bias, namely whether “hacker” and “malicious hacker” are synonyms.
  • For connectors, change “male” and “female” to “plug” and “socket.” This probably conveys the meaning better than the original terms did.

Now the Security Industry Association is just one entity, and I’m sure that other entities are coming up with other terms that replace the older terms. As of today, Wikipedia lists 11 different replacement pairs for master/slave alone, including primary/secondary (BIND), primary/replica (Amazon and Microsoft, among others), provider/consumer (OpenLDAP), and others. There are also multiple alternatives to blacklist/whitelist, including the aforementioned blocklist/allowlist, and other pairs such as deny list/allow list and block list/allow list (with spaces).

All of these suggestions are going to float around and compete with each other, and various trade associations, governments, and other entities are going to adopt one or more of these, causing people who do business with these associations/governments/entities to adopt them also. And there will be the usual debate in those places where standards, like sausages, are made.

After all of these standards battles are complete, which set of terms will prevail?

That’s easy.

LOS ANGELES – MARCH 14: Guest arrives for the 2019 iHeartRadio Music Awards on March 14, 2019 in Los Angeles, California. (Photo by Glenn Francis/Pacific Pro Digital Photography). By Toglenn (Glenn Francis) – This file has been extracted from another file: Taylor Swift 2 – 2019 by Glenn Francis.jpg, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=81523364

The terminology adopted by Taylor Swift will be the terminology that will be adopted by the rest of the world.

Sorry, SIA, but the general population cares much more about what Taylor Swift believes. Perhaps if SIA changed its acronym to TAYLOR, things would be different.

Swift (not to be confused with the Society for Worldwide Interbank Financial Telecommunication) is today’s Oprah Winfrey, and unlike Winfrey is referenced by cybersecurity practitioners.

And she can write a catchy chorus.