A recent decision in the High Court of England and Wales considered cryptocurrency developers' fiduciary and tortious liabilities. The case confirms that developers and controllers of digital assets networks do not owe a fiduciary duty or a tortious duty to users who have lost their private keys or had them stolen to access their digital assets.
The decision should provide a better understanding to insurers of IT professionals and the controllers of digital asset networks as to the legal obligations that these groups owe to digital currency owners and provide some further comfort for underwriters considering offering cover to this emerging area of the digital economy.
The decision raised some interesting arguments regarding the appropriate jurisdiction for disputes concerning digital assets. The case highlights the jurisdictional complexities in dealing with digital assets. While the claim was pursued in England, the plaintiff is a Seychelles registered company. The theft of the asset occurred because of an alleged hack of the computer of the CEO, an Australian citizen living in Surrey, England.
Clyde & Co partners Darryl Smith and Matthew Pokarier consider the implication of the decision in detail.
The Claimant, Tulip Trading Limited ("TTL"), is a company incorporated in the Seychelles. Its CEO is Dr Craig Wright, an Australian citizen, resident in England since 2015. The claim relates to a very substantial amount of digital currency assets that TTL claims to own but is currently unable to control or use, following what it says was a hack of computers located at Dr Wright's home office in Surrey. TTL says that the result of the hack was to remove from those systems the "private keys", which would allow dealings in the assets and information that would allow access to those keys.
The Defendants are the core developers and control the software regarding four relevant digital asset networks associated with the cryptocurrency, Bitcoin (the Networks).
TTL claims that it owns digital assets valued at over £3 billion. The claimant alleges that he was the victim of a computer hack on his home computer, which resulted in the loss of his private keys and digital currency worth £1.1 million. The hack was reported to Surrey Police. The alleged perpetrators have not been identified.
TTL alleged that the Defendants controlled the Networks and could propose amendments to the underlying source code. As a result, they owed fiduciary and/or tortious duties to assist it in regaining control over the previously stolen digital assets. TTL sought Court orders to compel the defendants to make such amendments. The Defendants disputed the issue of whether they had control of the network and whether they were able to enact the change that TTL sought.
The Court was required to determine whether it should grant TTL permission to serve proceedings on the Defendants outside of the jurisdiction. The judgement focused on whether TTL has a serious issue to be tried and whether, as a matter of law, the defendants owed either a fiduciary or tortious duty as suggested by TTL
TTL accepted that the relationship between the developers and the owners of digital currency was a new category of a fiduciary but submitted that the particular facts and circumstances of the case justified the imposition of fiduciary duties. TTL placed reliance on the alleged significant imbalance of power the defendants have over the network. The defendant rejected TTL's characterisation of a fiduciary duty claiming that it would impose extensive obligations in respect of every owner of bitcoin, by its very nature, an anonymous and fluctuating class of persons with who the defendants have no direct communication or contractual relationship. Further, it would require the defendants to take positive action in potential conflict with their other duties towards other owners on the network.
Falk J rejected TTL's case on fiduciary duty, finding that there was no realistic prospect of establishing that the facts pleaded amounted to a breach of fiduciary duty. Her Honour determined that an imbalance of power was not a defining characteristic of fiduciary duty and was not a sufficient condition for the existence of the duty. Further, Her Honour could not square TTL's requirement that the defendants take steps for its benefit alone and not for the benefits of other users with the duty of undivided loyalty owed by a fiduciary.
TTL also claimed that the Defendants are in breach of a duty of care by failing:
- to include in the software means to allow those who have lost their private keys or had them stolen to access their bitcoin,
- failing to include sufficient safeguards against wrongdoing by third parties, and failing to take steps to give TTL access and/or
- control or otherwise protect TTL against fraud or allow it to seek to put right any fraud that occurs in the future.
Like with TTL’s submission regarding fiduciary duties, the key argument for imposing a novel duty of care was the control that the defendants exercised over the network were such that public policy required the imposition of a corresponding duty of care. The Defendants rejected TTL's characterisation of the duty of care, stating that it amounted to developers' duty to protect users from harm by third parties and from harm to themselves.
The Court noted that TTL loss was purely economic, and as such, no common law duty of care could arise in the absence of a special relationship between the parties. The Court rejected TTL’s arguments that the necessary special relationship existed. The Court also noted that there were other impediments to establishing a novel duty of care. Firstly, the complaint was founded on an omission following harm caused by a third party. The Court did not consider an incremental extension of the current duty of care for pure economic loss. Secondly, the Court held that the duty sought was problematic due to indeterminacy of liability. If the Court recognised this duty, there would be nothing stopping anybody who had lost a private key from bringing a claim against the Defendants.
The case also considered whether England was the most appropriate forum for the dispute to be heard. The Court considered whether the digital assets were property held in England or whether any damage had occurred there. TTL is domiciled in the Seychelles. However, it argued that its place of residence, where TTL exercised its central management and control functions, was the more critical factor in determining whether the digital assets were in the jurisdiction. The Court accepted this argument.
Regarding where the damage arose, the Court again accepted TTL's argument that England was the jurisdiction from which TTL would have exercised control of its assets. Therefore, damage occurred in the jurisdiction.
The case provides an important clarification on the potential liability of developers in the emerging area of cryptocurrency or distributed ledger software. Australian Courts are likely to approach the issues slightly differently, particularly given the difference in the law regarding novel tortious duties and the Australian common law's salient features approach. However, the result is likely to be similar.
The decision should provide some comfort to IT professionals and their insurers in considering the potential future liabilities of developing distributed ledger software. However, the case does highlight some areas of potential liability. In this case, Falk J highlighted that holders of digital assets would have certain expectations of the performance of their assets, including the security of their network and private keys and the efficacy of the "proof of work" process and the need for anonymity. Breaches of such expectations may have led to establishing a duty of care.
The issue of breaching a performance expectation can be a particular risk for IT professionals dealing with Australian based customers. One potential issue for software developers to consider is whether the statutory misleading or deceptive conduct provisions in the Australia Consumer Law may provide a potential avenue for claims. This potential area of liability can be illustrated by the recent Victorian decision of ProLearn v Kytec and Telstra  VSC 5. In this case, an IT contractor was found not to owe the Applicants a tortious duty of care for their failures in designing a telephone network. However, the company was held liable for its conduct under the ACL, as it had over-promised the capabilities of the network it had designed and delivered.
To avoid potential liability, Australian developers of crypto assets should carefully consider their representations regarding the merchantable quality to the holders of those assets to avoid any ACL issues.