High Court Finds Developers Did Not Owe Duty to Cryptoasset Owners to Enable Access to Lost Cryptoassets

Published on: 29/04/2022

The High Court has held that cryptoasset systems and software developers did not owe a duty to cryptoasset owners to permit or enable access to the assets where the owners had lost control over the assets following a hack. The court set aside an order permitting service of the proceedings on the developers out of the jurisdiction, as the owners had not established a serious issue to be tried on the merits: Tulip Trading Limited v Bitcoin Association for BSV [2022] EWHC 667 (Ch).

This is an important judgment for cryptoasset owners and developers, and is the latest in a series of significant rulings from the English courts in relation to cryptoassets. It suggests that an owner of cryptoassets has no recourse against the developers of the relevant cryptoasset systems if they lose control of their cryptoassets, either accidentally or due to an event such as a hacking incident. It does not, however, altogether close off arguments that the developers or controllers of cryptoasset systems might owe fiduciary duties or a tortious duty of care in other circumstances, for example where they have introduced a bug by means of a software update or otherwise created a risk to users.

The present decision follows an earlier interim order in the same case (discussed in our previous blog post) where the court refused to allow security for costs to be paid in cryptocurrency as that would not result in protection equal to a payment into court or first class guarantee.

Background

The background to the case is described in more detail in our previous post linked above.

The claimant (a Seychelles company owned by Dr Craig Wright, who claims to be the creator of the Bitcoin system) claimed to own Bitcoin worth in the region of US$4.5 billion, which he accessed and controlled from his computer and network in England. This access was facilitated by secure private keys, which were subsequently deleted by hackers who accessed Dr Wright’s computer in February 2020 and caused Dr Wright to lose access to the Bitcoin.

The claimant claimed that the defendants, open-source software developers who developed the Bitcoin Core and Bitcoin Cash ABC software on a non-commercial basis, owed a fiduciary or (in the alternative) tortious duty to the claimant to enable it to re-access the Bitcoin.

The claimant sought a declaration that it owned the relevant assets and orders requiring the defendants to take reasonable steps to ensure that it had access to them, or for equitable compensation or damages. It obtained permission to serve the claim on the defendants out of the jurisdiction on a “without notice” application, in the usual way. Following service, one defendant accepted the court’s jurisdiction over the claims, but the other defendants challenged jurisdiction.

Decision

The High Court (Falk J) held that the claimant had not established a serious issue to be tried on the merits of the claim. Therefore the order permitting service out of the jurisdiction, and the service itself, would be set aside.

Falk J applied the usual three-limb test for service out: first, whether there was a serious issue to be tried on the merits; second, whether there was a good arguable case that the claims fell within one of the “gateways” under CPR PD 6B; and third, whether England was the appropriate forum for the trial of the dispute.

1. A serious issue to be tried on the merits of the claim

Under the first limb, the court considered whether there was a serious issue to be tried on the merits of the claim; ie whether the claimant had a real prospect of successfully establishing that the court should impose either a fiduciary duty or tortious duty of care on the defendant.

Fiduciary duty

Falk J applied the classic formulation of a fiduciary stated by Millet LJ In Bristol and West Building Society v Mothew [1998] Ch 1, where a fiduciary is described as:

“someone who has undertaken to act for or on behalf of another in a particular matter in circumstances which give rise to a relationship of trust and confidence. The distinguishing obligation of a fiduciary is the obligation of loyalty. The principal is entitled to the single-minded loyalty of his fiduciary.”

This duty would encompass a situation where the relationship gives rise to a legitimate expectation that the fiduciary will not utilise their position to the detriment of the principal, citing Arklow Investments Ltd v Maclean [2000] 1 WLR 594. However, in each case the specific context in which it is said that a fiduciary duty arises must be examined.

The judge observed that the claimant in this case sought to impose on the defendant a positive duty to act to introduce a software patch that would allow the claimant to regain control of its assets. The claimant’s case relied on the alleged imbalance of power between the defendants (as developers) and the claimant (as a cryptoasset owner), as well as the entrustment of property by the latter to the former.

However, Falk J found that, whilst an imbalance of power was often a feature of fiduciary relationships, it was not a defining characteristic or sufficient condition. In addition, Bitcoin owners cannot realistically “be described as entrusting their property to a fluctuating, and unidentified, body of developers of the software”. It could not realistically be argued that the developers owed continuing obligations to remain as developers and make future updates when the nature of their engagement was often intermittent and doing so may expose the defendants themselves to risk.

The judge also noted that the claimant was seeking to require the defendants to take actions for the benefit of the claimant alone, to recover their property, and not for the benefit of all users, such as a systemic software change. This was not characteristic of a relationship of single-minded loyalty as described in Mothew, which the court noted was the distinguishing feature of a fiduciary relationship.

He therefore held that there was no realistic basis for the imposition of a fiduciary duty in favour of the claimant.

Interestingly, Falk J did comment that it would be conceivable that some sort of duty might be engaged where “in making an update to the software, the Defendants acted in their own interests and contrary to the interests of owners” for example where a developer introduced a bug or feature that compromised owners’ security but served their own purposesIn such a case, it was arguable that the developer would have “assumed some responsibility by performing that function”, though it would not necessarily be characterised as a fiduciary duty.

Tortious duty of care

Falk J noted that the Supreme Court had made clear that, in determining whether a duty of care exists, an incremental approach should be adopted, based on an analogy with established categories of liability, citing eg N v Poole Borough Council [2020] AC 780. Caparo v Dickman [1990] 2 AC 605 did not lay down a universal tripartite test (of (i) foreseeability, (ii) proximity and (iii) fairness, reasonableness and justice), but the question of whether the imposition of a duty of care would be fair, just and reasonable formed part of the court’s analysis of whether an incremental step should be taken to impose a duty of care.

The judge further observed that:

  1. as the loss suffered by the claimant was purely economic, no common law duty of care could arise in the absence of a special relationship, citing Murphy v Brentwood [1991] 1 AC 398 (which may be characterised by an assumption of responsibility, citing Henderson v Merrett Syndicates [1995] 2 AC 145); and
  2. the claim related to a failure to prevent third parties causing loss or damage, for which it is established that liability will not be imposed, subject to exceptions such as that identified in the case of Dorset Yacht Co Ltd v Home Office [1970] AC 1004, where the defendants were in a position of control over the third party.

The claimant argued that the imposition of a duty of care on these facts would be a novel but permissible and incremental extension of the law. The claimant’s case was that a special relationship existed between the owners of cryptoassets and developers who had assumed control of the digital asset networks. Moreover, the claimant suggested there were strong public policy reasons to ensure that developers could not act in a way that would have the effect of depriving owners of their digital assets.

However, Falk J noted that the claimant’s complaint was that the defendants failed to act to change how the digital asset networks work via a software patch, rather than a failure to address a known defect. To impose a duty, the court would be required to identify a special relationship between the defendants and claimant solely on the basis of the developers’ control of the cryptoasset networks, and to require the defendants to act to make changes, in circumstances where the software was operating as anticipated. The judge held that it was not realistically arguable that to impose a duty in such circumstances would be an incremental change in the law.

In addition, the failure to act in this case related to an act of a third party; the defendants had not done anything to create or increase the risk of harm. There was no argument that the defendants had control over the third party (the hackers) in this case, which was therefore distinguishable from Dorset Yacht.

Further, the alleged duty would be owed to an “unknown and potentially unlimited” class and would have an “open-ended scope”. These factors suggested that it would not be fair, just and reasonable to impose a duty of care.

Falk J was also not persuaded by the claimant’s reliance by analogy on Barclays Bank v Quincecare [1992] 4 All ER 363, where a duty of care was established in the context of a contractual relationship between bank and customer where the bank also acted as the customer’s agent. It has been suggested in Federal Republic of Nigeria v JP Morgan Chase Bank [2019] EWHC 347 (Comm) that the duty established in Quincecare could extend to a positive duty of enquiry. Falk J held that the cryptoasset networks did not have such a relationship with the claimant on the facts. The court commented further that there was nothing in the Court of Appeal’s recent decision in Philipp v Barclays Bank [2022] EWCA Civ 318, handed down after the hearing in this case, that affected this analysis.

However, the judge commented that cryptoasset developers might owe a tortious duty of care to cryptoasset owners in some circumstances. For instance it might be arguable that, when making software changes, “developers assume some level of responsibility to ensure that they take reasonable care not to harm the interests of users”, for example by introducing a malicious software bug or compromising the security of the cryptoasset network, and it was also conceivable that “some duty might be imposed to address bugs or other defects” where these threaten the operation of the system.

2. The jurisdictional gateways: a good arguable case

Though not strictly necessary given the court’s decision in relation to the first limb, the judge considered obiter whether any relevant gateways applied under paragraph 3.1 of Practice Direction 6B.

Gateway 11: property within the jurisdiction

This gateway applies where the subject matter of the claim “relates wholly or principally to property within the jurisdiction”. The judge noted that this applied to a claim for damages or any other relief and not only to claims for ownership or recovery of property.

The claimant asserted that the Bitcoin constituted property, the claim related to this property, and the property was located in the jurisdiction. The defendants accepted that the Bitcoin constituted property, but argued that it was not located within the jurisdiction.

The claimant and defendants differed as to the test to be applied concerning whether the Bitcoin was located within the jurisdiction. The claimant argued that its place of residence was the key determining factor, being the place where its central management and control was exercised. The defendants argued that domicile was the correct test, and therefore that the assets should be regarded as located in the Seychelles, where the claimant is incorporated.

In determining which test to apply, Falk J considered the case of Ion Science Limited & Anor v Persons Unknown (unreported), 21 December 2020 (considered in our previous blog post here). In that case, Butcher J concluded that there was at least a serious issue to be tried that “the lex situs of a cryptoasset is the place where the person or company who owns it is domiciled”.

However, Falk J observed that the distinction between domicile and residence or place of business appears not to have been material in Ion Science, and in his judgment Butcher J also referred to residence, which strongly indicated that Butcher J was not intending to say that domicile was the sole relevant test. Further, the textbook referred to by Butcher J in fact referred to residence or place of business, not domicile.

Falk J said she would have preferred the claimant’s arguments on this issue and would have held the relevant test to be that of residency. She noted that the application of the residency test was not straightforward in this case as the claimant had no active business, and “its sole function appears to be to act as a vehicle to hold digital assets”, but found that there was sufficient evidence to amount to a good arguable case that the claimant was resident in, and the property located within, the jurisdiction.

Gateway 9: damage within the jurisdiction

This gateway applies where damage was sustained, or will be sustained, within the jurisdiction. The claimant argued that the assets were located within the jurisdiction on the same grounds as above, and that damage had similarly been sustained in the jurisdiction. The cryptoassets were effectively worthless without the ability to control them and it was from England that the claimant could not control or deal with the assets – once the defendants refused to take action then damage was (or would be) suffered there (citing FS Cairo (Nile Plaza) v Brownlie [2021] UKSC 45; [2021] 3 WLR 1011).

The defendants argued that, if there was any damage, it would be suffered in the Seychelles. The defendants submitted that a clear distinction was drawn in Brownlie between personal injury cases (considered in that case) and cases of pure economic loss.

Falk J, following her decision on Gateway 11 as described above, preferred the claimant’s arguments on the basis of residence in the jurisdiction, and the fact that any failure to regain control of the assets was directly experienced in England, and not in the Seychelles.

Gateway 4A

This gateway applies where a claim is made against the defendants in reliance on one or more of the other paragraphs (with some exceptions) of Practice Direction 6B, and a further claim is made against the same defendants which arises out of the same or closely connected facts.

Falk J considered that, although there was no jurisdictional gateway specifically designed for alleged breaches of fiduciary duty, there was a good arguable case that the relevant claim in this case would fall within gateways 9 or 11. But if it did not then gateway 4A would be engaged.

3. Forum

Falk J commented briefly on the application of the third limb of the test for service out of jurisdiction, as to whether England would be the proper forum.

Had there been a serious issue to be tried, she would have been satisfied that England was the appropriate forum for the trial of the dispute, and that she ought to exercise her discretion to permit service of the proceedings out of the jurisdiction. This was on the basis of connecting factors such as the claimant’s (and its primary agent, Dr Wright’s) presence in the jurisdiction, the court’s preference for the claimant’s argument that the cryptoassets were located in the jurisdiction, and the fact that the claimant was bringing a claim under English law.

 

This blog was written by Natasha Johnson, Partner, and Philip Lis, Senior Associate, and Herbert Smith Freehills.