Losing the private keys to your bitcoin - can you force developers to help you out?

The recent case of Tulip Trading Ltd v Bitcoin Association For BSV & Ors [2022] EWHC 667 (Ch) has led to a landmark judgment ruling on the law relating to block chain and encryption technology.

The English courts had to consider for the first time what duties, if any, developers of open source crypto asset software have to those who use their code to store or trade their crypto assets.

The claimant was Tulip Trading Ltd (TTL), a Seychelles company owned by Dr Craig Wright, an Australian computer scientist resident in the UK. TTL suffered a cyber attack where £1.1m of its bitcoin was stolen and the file containing the private keys to billions more of its bitcoin was erased. It is impossible to access your digital assets without the private keys. TTL decided to sue 16 developers of the bitcoin networks for the losses incurred, claiming that the developers owed it a duty to take positive steps to apply a "patch" to the blockchain network to reverse the hack.  

The problem for TTL was persuading the court that such a duty existed. This problem came to the fore very quickly in the proceedings, as all the defendants were outside the jurisdiction of England and Wales, and in order to serve out of the jurisdiction a claimant must satisfy the court that there is a serious issue to be tried on the merits of the claim and that it has a real as opposed to a fanciful prospect of success. The defendants claimed that this was not the case here because no such duty existed. The court agreed with them.

Fiduciary duty

TTL tried to argue that the developers were under a fiduciary duty requiring them to take all reasonable steps to provide TTL with access to and control of its bitcoin, and to ensure that that the fraud was not given effect.

To be a fiduciary there must be some undertaking to act for another (the principal), such that a relationship of trust and confidence arises. The potential for abuse in such a relationship gives rise to a fiduciary duty, the key feature of which is an obligation of single-minded loyalty to the principal’s interests. It is a breach of fiduciary duty if a fiduciary prefers its own interests over that of its principal, or if a fiduciary acts for two or more principals who have potentially conflicting interests without the informed consent of the other. Examples of fiduciary relationships include trustee and beneficiary, or company directors and the company. 

TTL argued that a fiduciary duty should be imposed on the developers because of the significant imbalance of power they had through the control of the networks, and because the users ‘entrusted’ their property to them. The judge however said that this was not seriously arguable:

• An imbalance of power is not a defining characteristic of a fiduciary relationship
• The developers were a fluctuating and unidentified body of individuals – it was unrealistic to say that bitcoin owners had ‘entrusted’ their bitcoin to them, or that they owed continuing obligations to remain as developers and make future updates whenever it might be in the interests of bitcoin owners to do so
• There was no realistic prospect of establishing the obligation of single-minded loyalty required for a fiduciary relationship:  
  • Installing the patch would bypass the fundamental feature that digital assets can only be transferred through the use of private keys, and this could well conflict with other users’ expectations about the security of the network, the efficacy of blockchain processes and their anonymity
  • Acting in one bitcoin owner’s interests could create a conflict with a rival claimant to the bitcoin

Tortious duty

TTL also tried to argue that the developers owed bitcoin owners a common law duty of care to assist them regain control of their assets if they lose access to their private keys.

When identifying whether a new duty of care exists, the court will take an incremental approach based on analogy with established categories of liability, giving consideration as to whether the imposition of a duty of care would be fair, just and reasonable. The court rejected that the developers here had a duty of care to TTL:

• No special relationship - if only economic harm is suffered as was the case here (i.e. there had been no physical harm to person or property), then there will be no duty of care unless there is a special relationship between the parties. TTL argued that there was a special relationship because of the defendants' assumption of control of the networks, but the judge held that there was no special relationship for the same reasons she had held there was no fiduciary relationship.
• Failure to act - TTL’s complaint was not about wrongful actions by the developers, but a failure to act. There is no general duty to protect others from harm. There is also no duty of care to prevent third parties from causing loss or damage, and although there are some exceptions to this (if the defendant was in position of control over the third party, or had assumed a positive responsibility to safeguard the claimant), these are less likely to apply if only economic harm has been suffered.

The judge also noted other difficulties with the claim for a duty of care:

• The duty would be owed to an unknown and potentially unlimited class - anyone who had allegedly lost their private keys or had them stolen
• The scope of the duty was open-ended - it would require the developers to investigate and address any claim that a person had lost their private keys or had them stolen. It was not clear how they could do that, given the anonymity of the system and the scope for off-chain transactions. Also applying the patch did not protect developers from claims by rival claimants to the bitcoin, and it was unlikely developers could get insurance against such claims, but owners could protect themselves by keeping copies of private keys in different locations, and possibly by insurance
• The developers were a fluctuating body of individuals - it was hard to see how there was any basis for imposing an obligation which would require them to continue to be involved and make changes when required by owners, when they have given no previous commitment or assurance that they would do so and their previous involvement may well have been intermittent

TTL tried to argue that the public policy issue raised by its claim, namely that bitcoin owners have no recourse if their private keys were lost, was so important that the case should still go to a full trial. The judge refused however, saying that the public policy issue could not provide a foundation for a duty for which there was no realistically arguable basis under existing law. The judge did indicate that there may still be a development of the law in this area – in its Digital Assets project the Law Commission is currently looking at the issue of competing claims to digital assets and how legal remedies or actions can protect digital assets.

This may also not be the last of such claims - the judge said she could see arguments for a duty of care on developers where they had actually committed wrongful acts. She gave examples of developers having assumed some responsibility when making software changes to ensure they took reasonable care not to harm the interests of users but then, say, introducing a malicious software bug that compromised the security of the network. Alternatively she said it was conceivable that some duty might be imposed on developers that had complete control of networks to address bugs or other defects that arise in the course of operation of the system which threaten that operation.