This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

Freshfields Risk & Compliance

| 3 minute read

Tulip Trading: when do blockchain developers owe duties to their users?

In an judgment on the question of jurisdiction in the case of Tulip Trading Ltd v. Bitcoin Association for BSV and others [2022] EWHC 667 (Ch), the English High Court firmly rejected the proposition that developers and / or controllers of blockchain software owe a duty of care to take reasonable steps to protect blockchain users by, for example, re-establishing access to stolen digital assets and reversing known frauds. The Court did, however, leave the door open to the possibility that other more restricted duties may be imposed on developers and / or controllers.

What was alleged? 

The claimant, Tulip Trading Limited (a Seychelles-incorporated company owned and controlled by Dr Craig Wright) (TTL), alleged that it was locked out of its Bitcoin account following a hack on Dr Wright’s computer, in which the private keys needed to access the account were allegedly stolen and deleted from Dr Wright’s computer. 

Unlike other digital asset fraud cases seen in the English courts recently, the Bitcoins in question had (at the time of the hearing) not been moved elsewhere, but - without the private keys - Dr Wright was unable to access it. In light of this, TTL did not pursue remedies against the alleged perpetrators of the hack; rather, TTL argued that the developers and / or entities with significant control over the four digital asset networks (the Networks) on which the Bitcoins were recorded owed TTL a fiduciary or tortious duty to take reasonable steps to ensure that TTL had access to and control of the Bitcoin – in effect, that the developers should assist TTL in regaining control and use of the Bitcoins. In the absence of that, TTL sought equitable compensation or damages.

What did the Court decide? 

The Court found that there was no serious issue to be tried. In particular:

  • The developers did not owe TTL any fiduciary duties because:

    • Bitcoin owners could not realistically be described as having entrusted their property to a fluctuating, and unidentified, body of software developers;

    • the defining characteristic of a fiduciary relationship is the obligation of undivided loyalty - this gave rise to “a fundamental difficulty” because the steps that TTL wanted the developers to take would benefit it alone, but not necessarily other participants in the Networks, who might in fact be disadvantaged by the change sought. For example, the action may be contrary to the interests of potential rival claimants to the Bitcoin, or to other users’ expectations of how the system works and the security benefits of private keys; and

    • while fiduciaries can be under positive duties, what was being sought by TTL went beyond the nature of the obligations typically imposed on fiduciaries and may have exposed the developers to risks.

  • The developers were not under any tortious duty of care to take positive action to make changes to the Networks to assist TTL in regaining access to the digital assets.

    • The duty contended for by TTL would require the developers to investigate and take steps to address claims by any individual professing to have lost the private key to its digital assets or to have had them stolen. Factors such as the inherent anonymity in the system would render any such investigations extremely difficult, if not impossible, to conduct.

    • It was also difficult to see how the developers would be able to protect themselves if they took action which was subsequently challenged by rival claimants in circumstances where there were competing claims to digital assets (including whether they would be able to insure themselves against the risk of loss in respect of any claim being brought against them in this regard).  Owners of digital assets themselves, however, had significantly more control and were able to take steps to protect themselves against loss of their private keys.

    • The potential class of persons to whom any such duty would be owed was unknown and potentially unlimited such that there would be no real restriction on the number of claims that could be advanced against the developers by persons who had allegedly lost their private keys or had them stolen.

When might a duty arise? 

While the Court declined to find that any duties of the sort argued for by TTL arose, it recognised that software developers may be under other, more limited duties in certain circumstances, two examples of which were:

  • a potential duty requiring developers to take reasonable care not to harm the interests of users, for example, by taking a specific action (such as introducing a malicious bug) that might compromise the security of the relevant network; or

  • a potential duty requiring developers with control over networks to take some level of reasonable care to address bugs or other defects that arose in the course of operation of the system, and which threaten that operation.

What can we take from the case? 

While the Tulip Trading case concerned developers and “controllers” of Bitcoin networks, the principles considered by the Court should be borne in mind by any developers of distributed ledger technology. The Law Commission has expanded its current project on digital assets to consider both competing claims in relation to digital assets and how legal remedies or actions can protect digital assets but, in the absence of any legislation or regulation, it will remain up to the Court to consider the application of established legal principles in novel situations, as in this case.

Tags

financial institutions, cryptocurrency, fintech, litigation