[en_US] We need to talk about article 263

Article 263 of the Danish Penal Code serves as Denmark’s national cybersecurity law, and it is among the most restrictive in the world. While intended to criminalize malicious online activity, its broad wording also penalizes security researchers who identify and responsibly disclose vulnerabilities.

The law is brief: accessing data or systems belonging to others without authorization is a criminal offense, punishable by fines or imprisonment. On the surface, that seems reasonable, but it leaves not much room for legitimate ethical research.

I teach the Systems Security course at Aarhus University, where students analyze the security of mobile apps on their own devices, using their own data and networks. We minimize risk and seek authorization from companies when possible, but sometimes that’s not feasible: firms don’t reply, students are late, or contact channels don’t exist.

Even with safeguards, students have occasionally found themselves in legal gray zones purely by accident:

• Case 1: An app contained a hidden link to an unlisted website exposing personal data due to a misconfiguration, only discovered after a quick look.
• Case 2: During a man-in-the-middle test, another app’s server leaked data from other users, filtered out in the client but still sent over the network.
• Case 3: A third app handled access control via a client-side cookie. Altering it granted higher privileges because the server accepted any claim without verification.

These examples show how easily responsible researchers can stumble into illegal territory. No cases were brought against our students, but the disclosure process was stressful, and the law provides little protection for work done in the public interest.

As it stands, Article 263 protects companies deploying insecure systems but not those who uncover flaws. One could argue we should always obtain authorization, but when firms refuse or delay, vulnerabilities remain hidden, effectively shielded by law. It’s no surprise few Danish companies have bug bounty programs or disclosure policies. In all the cases above, students were legitimate users, motivated by curiosity and personal interest, not malice.

Coming from Brazil, a country with a harsher threat landscape, I find this imbalance striking. Brazilian law criminalizes unauthorized access only when done with malicious intent or causing harm, fostering a healthier environment for security research.

Denmark has a vibrant cybersecurity community, including some of the world’s best Capture the Flag (CTF) players. Yet their curiosity could one day get them into legal trouble. Article 263, as written, discourages exploration and widens the gap between Denmark’s technological ambitions and its digital reality.

We need reform, and we need it fast. It should not be illegal for users or security researchers to look under the hood of the systems that manage and store their data.