Founders, projects and providers of blockchain services, like other industry participants, usually take it for granted that they have no obligation to return property if digital assets are lost or stolen. However, in a very significant judgment, the English Court of Appeal has now opened the door for a future decision on the extent to which developers have legal duties in such circumstances.
This will be the first time an English court has considered this issue, and if it finds that there are duties, it could increase the scope of obligations for users of blockchain service providers such as exchanges or operators of DeFi.
The case involves claims by Tulip Trading, run by Dr Craig Wright, against the core developers of a number of networks for the return of private keys allegedly lost following a hack on Dr Wright’s home computer.
The lower court had flatly rejected these claims. In its decision of 25 March 2022 on service out of jurisdiction, the English High Court held that there was “no serious case to be tried on the claim” that a fiduciary duty or an indemnity was owed.
In particular, the lower court found that:
(a) The builders were a “fluctuating and unidentified body” on whom it would not be sensible to impose continuing obligations.
(b) The alleged positive duty (to introduce a software update to return a user’s private keys) was distinguished from other types of duty (such as a duty not to introduce malicious software or to include network security).
(c) Such steps would benefit one user, not the class of users in general, some of whom may object to a user bypassing the private key system in a supposedly decentralized network.
(d) The duty will be owed to an “unknown and potentially unlimited” class of users.
On 2 February 2023, the Court of Appeal decided to uphold the user’s appeal against the first-instance decision. While the Higher Court did not go so far as to itself find that there was a fiduciary duty to introduce code to allow the return of users’ crypto assets, it held that it was a serious issue that should proceed to a full trial.
The Court of Appeal recognized that in order for the user’s case to be successful, there must be a significant development in the general public about fiduciary duties. However, it also considered that there could be realistic arguments for this position, given the relationship between developers and users. The judgment also acknowledged the potential implications for legal recognition of the concept of decentralization in general, noting: “If the decentralized governance of bitcoin is indeed a myth, then in my judgment there is much to be said for the submission that bitcoin developers, while acting as developers , owes a fiduciary duty to the true owners of that property.”
The forthcoming decision will be highly anticipated, not only from an English law perspective, but also more generally across common law jurisdictions where the Court’s jurisprudence may be treated as having persuasive authority. The judgment will therefore be of significant interest to all blockchain industry participants, including project developers, service providers and investors.
If such bodies were found to owe users duties to recover lost or stolen assets, this would impose a significant additional compliance and communication burden on them, as well as potential legal liability if they do not act. These burdens are potentially greater than those faced by many other persons on whom English law has imposed fiduciary duties because developers usually have no direct relationship with users, so typical legal controls associated with fiduciary duties (e.g. restrictions on certain activities, such as prohibition against giving advice and contractual provisions, such as “no reliance” representations) may not be available, as easy to apply or as effective in this context. The introduction of these duties may also conflict with the functional distinction that many projects envisage between, on the one hand, the technological development of decentralized open source applications with little or no further administration by the original developers and, on the other hand, the independent use of these applications by users who have no clear relationship with these developers.