Who is responsible? The English court comments on duties owed to cryptoasset owners
The judgment in Tulip Trading Ltd v Bitcoin Association for BSV and Others sheds light on the legal relationship between the software developers behind various bitcoin networks and their participants. Notably, the court found that there was no case to be made that the developers had a duty to take action to undo the effects of an alleged theft. At the same time, the possibility of other legal duties falling on developers in the future was left open. Players in the crypto markets should be cognisant of this position, amid ongoing market turmoil.
The decision
Earlier this year, the High Court denied a prominent bitcoin holder, whose private keys to substantial holdings were allegedly taken in a cyber-attack, the right to serve a legal claim on a group of developers for failing to take action to restore the lost value into the claimant’s hands.
The case was brought by Tulip Trading Ltd (“Tulip”), which claimed that the defendants were the core developers behind various bitcoin networks and/or otherwise controlled the relevant software, and that they owed the claimant fiduciary and/or tortious duties to rectify the “theft” of private keys by writing and implementing a software “patch” that would restore Tulip’s access to the bitcoin assets. In setting aside permission to serve the claim out of the jurisdiction, Mrs Justice Falk held that there was no serious issue to be tried on the merits of the claim. Last month, Falk J also declined Tulip leave to appeal.
No fiduciary and tortious duties – for now
Falk J rejected the argument that the software developers owed the claimant a fiduciary duty. In particular, she noted that the defining characteristic of a fiduciary relationship is the obligation of undivided loyalty, and if the claimant’s argument were accepted, the steps that the defendants would have to take would be for the claimant’s benefit alone, to the exclusion of other users, to whom the defendants would also owe the same duty and who would have a legitimate complaint against the defendants.
Falk J also refused to find a tortious duty of care in this situation. She concluded that it would not merely be an incremental extension of the law to impose a duty concerning “failures to make changes to how the networks work, and were intended to work, rather than to address a known defect”. This was particularly true given that the alleged loss was an economic loss arising out of an omission.
Underlying both strands of Falk J’s reasoning is a recognition of the “core values of bitcoin as a concept” (in the defendants’ words): digital assets are transferred through the use of private keys and what the claimant was seeking was effectively to bypass that.
Bitcoin networks are not financial institutions
Tulip argued that bitcoin networks “could be equated with financial institutions”, in the sense that “[f]unds were being entrusted to controllers of the Networks, who profited from their activities, and public policy required the imposition of a corresponding duty of care”, and therefore a duty of care similar to the duty of care on banks established in Barclays Bank v Quincecare [1992] 4 All ER 363 should be imposed on bitcoin networks. Falk J was not persuaded by the argument: in particular, she noted that the starting point for the Quincecare duty of care is the relationship of contract and agency between the bank and its customer. It is interesting that such arguments seen in the more traditional financial sphere were being deployed in the context of a decentralised network with no contractual framework, and the court’s rejection of the direct analogy should be welcomed.
Room for future claims?
Without deciding the point, Falk J in obiter commentary left open the prospect of the developers or controllers of digital asset networks owing some other form of duty to owners of digital assets in other situations. For instance, she suggested that it was conceivable that some form of duty could arise if the developers “introduc[ed] for their own advantage a bug or feature that compromised owners’ security but served their own purposes.” Falk J hinted that there may be other circumstances where the developers or controllers could owe a duty.
This is only a first instance decision following a summary procedure and therefore its precedent value will be limited. But, in practice, this decision is likely to be influential given the novel issues raised. The recent turmoil in the cryptoasset market may provide fertile ground for litigation on this topic as the significance of these potential duties takes centre stage.