Michael Bacina and Jordan Markezic of the Piper Alderman Blockchain Group bring you the latest legal, regulatory and project updates in Blockchain and Digital Law.

A fiduciary duty by any other name would smell just as sweet: Tulip Trading v Bitcoin Association

Key takeaways

The High Court of England and Wales (High Court) has recently summarily dismissed a claim brought against bitcoin software developers in Tulip Trading Ltd v Bitcoin Association For BSV & Ors [2022] EWHC 667 (Ch) (TTL v Bitcoin Association).

The claimant - Tulip Trading Limited (Tulip) - and by extension, its CEO, Dr Craig Wright, sought declarations that it owned a very substantial amount of digital currency assets as well as orders requiring the Defendants to take steps to ensure that Tulip had access to and control of the assets, or for equitable compensation or damages.

This serves as the first case heard by the English Courts that considers the roles and duties of cryptocurrency software developers, and one closely watched by others around the world.

The Justice hearing the matter, Mrs Justice Falk (Falk J) was not able to conclude that Tulip had any realistic prospect of establishing that the facts pleaded amounted to a breach of fiduciary duty owed to it by the Defendants.

This matter was an interlocutory application and still leaves open the possibility that the English Courts could impose a fiduciary duty upon cryptocurrency developers, but will be persuasive precedent in the meantime.

Facts

Tulip sought declarations that it owned a very substantial amount of digital currency assets as well as orders requiring the Defendants to take steps to ensure that Tulip had access to and control of the assets, or for equitable compensation or damages. In short, The Defendants in this matter were the core developers and who the claimant alleged controlled the software in respect of four digital asset networks:

i) the Bitcoin Satoshi Vision Network (BSV Network);
ii) the Bitcoin Core Network (BTC Network);
iii) the Bitcoin Cash Network (BCH Network); and
iv) the Bitcoin Cash ABC Network (BCABC Network)

NB: Together, the Defendants.

A number of the Defendants challenged the jurisdiction of the High Court.

The overall facts of the matter are such that Tulip alleges that BTC, BCH, and BCHABC Networks were all initially created by copying the blockchain of a pre-existing network (BSV in 2017) but applying different protocols and software instructions.

Tulip alleged that the relevant assets were held on the BSV Network and have been replicated in the others through the copying process referred to above including the period after a substantial hack of computers located at Dr Wright's home office in Surrey, England.

The hack was alleged to have resulted in the loss of Dr Wright's private keys, that were contained in encrypted digital wallet files, and which had not been accessed in several years, being stolen and transactions being effected without Dr Wright (or his spouses) approval. Digital currency worth approx £1.1 million had been taken from Dr Wright's digital wallet.Tulip claimed that the Defendants were the core developers of, and had control over, various forked versions of Bitcoin, and that they had the ability to propose amendments to the underlying source code in order to give Tulip control over the previously stolen digital assets. Tulip claimed that the Defendants were under tortious and fiduciary duties that compelled them to do this.

The extent to which the developers actually had control was a factual issue in dispute. Tulip submitted that the Defendants controlled the networks as they were able to chose the software updates to be promoted, and decide whether or not to implement changes to the source code. The Defendants submitted in response that they were part of a very large, shifting group of contributors without any organisation or structure and that any change they were able to make would be ineffective as miners could/would refuse to run the updates and instead would continue to run earlier versions of the software.

Tulip disputed this by submitting that there was no mechanism among miners that could allow for a collective refusal to accept a software update, and that the current consensus mechanism is limited to the acceptance by nodes of blocks of transactions being verified by other bodes, as opposed to relating to the protocols that govern the network. A 'fork' which implemented Tulip's proposed changes were said to be contrary to the core values of bitcoin, could only be created if some of the developers refused to make the change.

Since none of the Defendants were domiciled within the jurisdiction of the English Courts, Tulip required permission under the Civil Procedure Rules 1998 (UK) to serve proceedings on the Defendants outside of the jurisdiction. In May 2021, Tulip obtained permission under the Rules to serve the Defendants on an ex parte basis. The Defendants contested service and sought to have the original order set aside.

Decision and reasoning

The fiduciary relationship question

In determining whether it was appropriate to impose a fiduciary relationship between the parties - and in effect, placing obligations on the Developers to take positive steps to re-write source code - the Court looked to past decisions including Bristol and West v Mathew  where the Court noted a fiduciary will be a person who has:

undertaken to act for or on behalf of another in a particular matter in circumstances which give rise to a relationship of trust and confidence. The distinguishing obligation of a fiduciary is the obligation of loyalty. The principal is entitled to the single-minded loyalty of his fiduciary. (at [54]-[55])

Tulip submitted that, by virtue of the Defendants having complete control and oversight of the blockchain source code, Tulip had entrusted the Defendants with care of their digital assets and that Tulip was vulnerable to abuse. Tulip also submitted that the Defendants had the power to re-write and amend the software code running the blockchains, in effect to restore the stolen private keys, and that this gave rise to a fiduciary relationship.

The Court found that it was difficult to see how Tulip's case that a fiduciary duty arose was seriously arguable, and that Tulip did not have a realistic prospect of establishing that the facts pleaded amounted to a breach of fiduciary duty owed by the Defendants to Tulip.

The Court held that a imbalance of power in favour of the Defendants, coupled with a vulnerability under that power imbalance is only an indication of a potential fiduciary duty and not a defining characteristic. The Court further went onto hold that bitcoin owners could only realistically be described as entrusting their property to a fluctuating and unidentified body of developers of the software to the extent claimed by Tulip.

The Court held that a distinguishing factor in considering a fiduciary duty is an obligation of undivided loyalty. Tulip was seeking that the Defendants made code changes to benefit it alone, as opposed to bitcoin owners generally. Importantly, the Court noted that the changes sought by Tulip could not only disadvantage other participants in the networks vitae a rival claimant to the assets, but also potentially other users more broadly.

The Court considered that other users may not agree that a system change that allows digital assets to be accessed and controlled without the relevant private keys accords with their interests. The Court held that the positive steps sought to be imposed upon the Defendants by Tulip went well beyond the nature of the action and would likely expose the Defendants to risk.

The tortious duty question

The Court relied upon established principles in N v Poole Borough Council  [2020] AC 780 and Caporo v Dickman  [1990] 2 AC 605 to determine whether a duty of care existed, confirming that an incremental approach ought to be adopted based on an analogy with established categories of liability, and whether the imposition of a duty of care would be fair, just and reasonable.

The Court further noted that any and all losses suffered by Tulip was purely economic, and that there were no elements present to suggest physical harm to person or property. The effect of this, the Court noted, was that no common law duty of care could arise in the absence of a special relationship between the parties. Tulip accepted that the claimed tortious duty of care is novel, but submitted that it would amount to a permissible incremental extension of the law.

The Court held that it had not been able to conclude the existence of a fiduciary relationship as it was unable to found a duty of care in respect of economic loss. The Court also rejected arguments that the necessary special relationship existed on some other basis such as to require the action Tulip sought.

The Court noted that the complaint was founded on failures to act, and that what was complained of is the Defendants not taking action to alter how the system worked to ensure that Tulip regained control of the bitcoin following harm caused by a third party. The Court did not consider it realistically arguable that the imposition of such a requirement could be treated as an incremental extension of the law, noting the economic nature of the alleged loss.

The Court held that the duty sought to be applied to the Defendants would be owed to a potentially unlimited class of people; and that there would be no real restriction on the number of claims that could be advanced against the Defendants by alleged victims of hacks akin to the hack alleged in this matter (i.e. where private access keys have been stolen).

The Court went further, holding that the duty was of such an open ended scope that a Defendant would be obliged to investigate and address any claim that a person had lost their private keys or had them stolen.

The change of case issue

Tulip tried to amend their claim late in the piece to suggest that the developers would be entitled to require an order from the Court confirming ownership of assets before being required to act. Tulip also submitted that the developers would be entitled to payment for their work in writing and developing the software patch. The Court later commented that this argument did not assist Tulip, but instead undermined their case.

A change of case for jurisdiction purposes required the 'indulgence' of the Court, under Alliance Bank JSC v Aquanta Corp  [2012] EWCA Civ 1588. Such a change of case required a formal application accompanied by a copy of the statement of claim with the proposed amendments.

No application had been made in this case. The Court head Tulip's submission relying upon NML Capital Limited v Republic of Argentina  [2011] 3 WLR 273 that the requirements mentioned above were not required. The Court noted the two stage test for the possibility of quia timet relief held in Vastint Leeds v Persons Unknown  [2019] 4 WLR 2:

i) is there a strong probability that, unless restrained by injunction, the defendant will act in breach of the claimant's rights?
ii) Secondly, if the defendant did an act in contravention of the claimant's rights, would the harm resulting be so grave and irreparable that, notwithstanding the grant of an immediate interlocutory injunction (at the time of actual infringement of the claimant's rights) to restrain further occurrence of the acts complained of, a remedy of damages would be inadequate? (at [121])

Taking these principles into consideration, the Court held that this matter was quite a long way from the sort of case where quia timet  relief was able to be granted. The Court noted that Tulip had neither sought relief against the alleged hackers, nor sought interim injunctive relief where digital assets have been lost in respect of the alleged theft and no interim relief was sought against the Defendants at all. As a result, Tulip's actions were inconsistent with a material concern about imminent harm.

The jurisdiction issue

Because Tulip's case was being dismissed, it was not necessary to decide the challenge to the Court's jurisdiction, but the Court did so in any event (in case of an appeal). This nvolved considering the various 'gateways' that jurisdiction could arise in the matter.

Tulip sought to rely on an earlier case they were involved in, Tulip Trading Ltd v Bitcoin Association for BSV & Ors [2022] EWHC 2 (Ch) (05 January 2022) (the January 2022 matter) which included a finding that Tulip was a resident in England. The Court was not satisfied that this was determinative, and decided that case wasn't needed and in any event didn't have the necessary element of finality.

However, the Court held that - based on the available evidence - it was difficult to see how Tulip could sustain loss in any other jurisdiction than England as Tulip handled it's accounting there. As a result the Court found it had jurisdiction in the matter.

Comments

This decision has been hailed as absolving software developers in blockchain projects from liability, and if it indeed went this far it would press back on matters such as the situation in the SEC enforcement against the founder of Ether Delta.

However, there are important limitations, including that this decision is interlocutory in nature, not from a final hearing, and the Court was at pains to emphasize that the decision was fact driven to the narrow facts (a loss of private keys and an assertion that developers must change source code to restore the keys). Much of the Court's decisions and reasoning was clearly in contemplation of an appeal, which will likely occur. THere remains plenty of scope for Courts to impose a fiduciary or tortious duty on developers in other circumstances.

Academics - such as Brian Choi in the Harvard Law Journal *, and Jack Bulkin in the University of California Davis Law Review ** - have argued for a fiduciary relationship and duties of care to be imposed upon online service providers, and by extension software developers.

In particular, Balkin argues that duties of care ought to be placed upon online service providers and software developers by virtue of the trust that end-users place in the developers and software, and the dependence that end-users have, in these providers and developers; a level of vulnerability that end-users accept in reliance of digital services and the nature of sensitive information being traded as consideration for access to digital services.

Choi, on the other hand, notes that in recent years there have been calls for an ad hoc imposition of fiduciary duties upon software developers by analogy to traditional professions such as doctors and lawyers. Choi argues that non-professionals are subject to the prescriptive 'reasonable care' standard, which is determined by reference to the ordinary reasonable person, whereas professionals are judged under the descriptive 'customary care' standard, which is determined according to the internal norms of the professional community. Choi argues that a realignment is required where the practice is not a precise science but an inexact art, and thus that there is a greater need for the exercise of professional judgment.

We note, however, that software developers are often working as a part of a larger team and only expressly on smaller parts of a great whole, which is an important distinction to many professionals, where an individual is given responsibility for meeting certain standards.

The Tulip case is an important first step in the consideration of the legal duties which software developers may owe, and will be likely to be cited in future similar decisions. It will remain an area which developers and start-ups operating in the blockchain space will need to be careful of when they are building the tools of the future.

* Bryan H. Choi, 'Software as a Profession' (2020) 33(2) Harvard Journal of Law & Technology

** Jack M. Balkin, 'Information Fiduciaries and the First Amendment' (2016) 49 University of California Davis Law Review 1183, 1208