The Court held that software developers do not owe a duty of care to bitcoin owners who lost their private keys.

By Christian F. McDermott, Andrew C. Moyle, and Nara Yoo

In Tulip Trading Ltd (TTL) v. Bitcoin Association for BSV and others, TTL claimed that personal computers of its CEO, Dr. Craig Wright, were hacked and the encrypted private keys to two addresses holding around 111,000 bitcoin (currently worth over £3.6 billion) belonging to TTL were stolen. TTL also claimed that the hackers deleted copies of the keys, preventing Dr. Wright and TTL from accessing the digital assets at those addresses.

TTL brought action against 16 core developers (Developers) that allegedly control the software in respect of the four relevant digital asset networks (Networks), consisting of one “original” network and three subsequent blockchain copies. In this case, the Court looked at the extent of the Developer’s liability to TTL for the stolen/lost keys.

Of relevance to the instant case, the UK courts have also recently addressed the protection of non-fungible tokens (NFTs). In April 2022, the High Court ruled that NFTs are legal property and can be protected as such (in this case, by a proprietary freezing injunction). This decision was the first to explicitly determine the proprietary nature of NFTs, and would allow the victims of NFT theft to seek injunctions against those whose cryptowallet has been identified as carrying a stolen NFT, as well as the NFT platform on which the asset is being sold.

The Developers Do Not Owe Fiduciary Duties to TTL

In the TTL case, TTL claimed that the Developers owe fiduciary duties (including a positive duty to alter software to introduce a patch) and are/can be required to take all reasonable steps to provide it with access to and control of the bitcoin in issue, and to take all reasonable steps to ensure that effect is not given to the fraud.

The Court disagreed, and concluded that TTL had no realistic prospect of establishing that the Developers owe, and are in breach of, a fiduciary duty to TTL. The Court made three interesting remarks that provide some context in reaching this conclusion.

  • First, bitcoin owners cannot realistically be described as “entrusting” their property to the Networks’ software developers given that they are a fluctuating, and unidentified, body of developers. Similarly, the Developers cannot realistically owe continuing obligations to, for example, remain as developers and make future updates whenever it might be in the interests of owners to do so.
  • Second, users generally would not benefit from the remedial action sought by TTL. The change sought could be to the disadvantage of other participants in the Networks, including a rival claimant to the assets and potentially other users more generally.
  • Third, the actions sought by TTL from the Developers, to enable TTL to regain control of its bitcoin, go well beyond any potential duty owed to TTL, and may expose the Developers to risk. For example, a rival claimant to the bitcoin in issue could have a legitimate complaint against the Developers as a result of such actions.

The Developers Do Not Owe Tortious Duties to TTL

TTL also claimed that the Developers owe a duty of care, amongst others, to include in the software means to allow those who have lost their private keys or had them stolen to access their bitcoin, and to include sufficient safeguards against wrongdoing by third parties.

As a starting point, a special relationship must be established for a common law duty of care to arise since any loss that TTL suffered is purely economic. TTL relied on a fiduciary relationship as the special relationship but, as discussed above, the Court concluded that such a relationship was not realistically arguable. Albeit not raised by TTL, the Court suggested that the Developers arguably assume some level of responsibility in relation to software defects and bugs which threaten the operation of the software or the interests of users.

Noting that TTL’s claim relates to the Developers’ alleged failures to make changes to how the Networks work rather than to address a known defect, the Court concluded that TTL’s claim that the Developers owe a duty of care cannot realistically be argued to be fair, just, and reasonable. In reaching its conclusion, the Court highlighted the following three points to explain why the imposition of such tortious duty of care could not be treated as an incremental extension of the law.

  • First, the potential class in this case is unknown and potentially unlimited, as any persons who had allegedly lost their private keys or had them stolen can potentially advance their claim against the Developers.
  • Second, it is unclear how the Developers would go about investigating and addressing claims that a person had lost their private keys or had them stolen, given the anonymity of the system and the scope for offchain transactions.
  • Third, there is no basis for imposing an obligation that would require the Developers to continue to be involved and make changes when required by owners, when they have given no previous commitment or assurance that they would do so (their previous involvement may have been intermittent).

Takeaways

There has been some uncertainty in the digital assets space on whether developers of open source digital assets software could be held accountable for open source code that has been adopted and applied by end users. In this decision, the Court provided clear guidance on the threshold for developer liability for lost digital assets, paving the way for this emerging area of law. An appeal is possible, but whether TTL will continue to pursue the claim remains to be seen.

The High Court decision that NFTs can be protected as legal property adds a further layer to the courts’ guidance on the protection and recovery of digital assets. The court demonstrated a willingness to assist the victims of digital asset thefts in this case, by providing for injunctions that could potentially require digital assets platform and/ or cryptowallet operators to block the sale of stolen digital assets.

Companies operating in the cryptocurrency and digital assets space should watch for further developments in this rapidly evolving, and not entirely predictable, area of law.