• Sat. May 21st, 2022

Losing your Bitcoin private keys – can you force the developers to help you?

ByHazel R. Lang

May 10, 2022

The recent case of Tulip Trading Ltd v Bitcoin Association for BSV & Ors [2022] EWHC 667 (Ch) led to a landmark judgment ruling on blockchain and encryption technology law.

The English courts had to consider for the first time the duties, if any, of developers of open-source crypto-asset software to those who use their code to store or trade their crypto-assets.

The plaintiff was Tulip Trading Ltd (TTL), a Seychellois company owned by Dr Craig Wright, an Australian IT specialist residing in the UK. TTL suffered a cyberattack in which £1.1 million of its bitcoins were stolen and the file containing the private keys of billions more of its bitcoins was erased. It is impossible to access your digital assets without the private keys. TTL decided to sue 16 developers from the bitcoin networks for the losses suffered, saying the developers had a duty to take affirmative action to apply a “patch” to the blockchain network to reverse the hack.

The problem for TTL was to persuade the court that such an obligation existed. This issue arose very quickly in the proceedings, as all of the defendants were outside the jurisdiction of England and Wales, and to serve outside the jurisdiction a claimant must satisfy the court that there is a serious question to judge. the merits of the claim and that it has a real and not a fanciful prospect of success. The defendants argued that this was not the case here because no such obligation existed. The court followed them.

Fiduciary duty

TTL attempted to argue that the developers were under a fiduciary duty requiring them to take all reasonable steps to provide TTL with access to and control of its bitcoin, and to ensure fraud was not enforced. .

To be a fiduciary, there must be a commitment to act for another (the principal), so that a relationship of trust is created. The potential for abuse in such a relationship gives rise to a fiduciary duty, the main feature of which is a duty of resolute loyalty to the interests of the principal. It is a breach of fiduciary duty if a fiduciary prefers its own interests to those of its principal, or if a fiduciary acts for two or more principals who have potentially conflicting interests without the informed consent of the other . Examples of fiduciary relationships include trustee and beneficiary, or company directors and company.

TTL argued that a fiduciary duty should be imposed on developers because of the significant power imbalance they had through control of the networks and because users had “entrusted” them with their ownership. The judge, however, said this was not seriously defensible:

  • A power imbalance is not a defining characteristic of a fiduciary relationship
  • Developers were a fluctuating, unidentified group of individuals – it was unrealistic to say that bitcoin owners had “entrusted” them with their bitcoin, or that they had ongoing obligations to remain as developers and make future updates whenever it might be in the interests of bitcoin owners to do so
  • There was no realistic prospect of establishing the resolute duty of loyalty required for a fiduciary relationship:
    • Installing the patch would circumvent the fundamental feature that digital assets can only be transferred through the use of private keys, which may well conflict with other users’ expectations of network security, efficiency of blockchain process and their anonymity.
    • Acting in the interest of a bitcoin owner could create a conflict with a rival bitcoin suitor

Tort duty

TTL also tried to argue that the developers owed bitcoin owners a common law duty of care to help them regain control of their assets if they lost access to their private keys.

In determining whether a new duty of care exists, the court will take a graduated approach based on analogy to the established categories of liability, considering whether the imposition of a duty of care would be fair, just and reasonable. The court rejected that the developers here owed a duty of care to TTL:

  • No special relationship – if only economic harm is suffered as was the case here (i.e. there was no physical harm to a person or property), then there will be no no duty of care unless there is a special relationship between the parties. TTL argued there was a special relationship because of the defendants’ takeover of the networks, but the judge found there was no special relationship for the same reasons it argued. that there was no fiduciary relationship.
  • Failure to act – TTL’s complaint did not relate to faulty actions of the developers, but to a failure to act. There is no general obligation to protect others from harm. There is also no duty of care to prevent third parties from causing loss or damage, and although there are some exceptions to this (if the defendant was in a position of control over the third party, or had assumed positive responsibility to protect the plaintiff), these are less likely to apply if only economic harm has been suffered.

The judge also noted other difficulties with the claim of a duty of care:

  • The duty would be due to an unknown and potentially unlimited class – anyone who has lost their private keys or had them stolen
  • The scope of the obligation was unlimited – it would force the developers to investigate and respond to any claims that someone has lost their private keys or stolen them. It was unclear how they could do this, given the anonymity of the system and the scope of off-chain transactions. Additionally, applying the patch did not protect developers from claims by rival bitcoin claimants, and developers were unlikely to be able to obtain insurance against such claims, but owners could protect themselves by keeping copies of keys. private in different places, and possibly by insurance.
  • Developers were a fluctuating body of individuals – it was difficult to see how there was a basis for imposing an obligation that would oblige them to continue to be involved and to make changes when required by the owners, when they gave no prior commitment or assurance that they would and their prior involvement may well have been intermittent

TTL tried to argue that the public policy issue raised by its claim, that bitcoin owners have no recourse if their private keys are lost, was so important that the case should still go to court. subject to a full trial. The judge, however, refused, saying the issue of public order could not form the basis of an obligation for which there was no reasonably arguable basis under applicable law. The judge indicated that there could still be a development of the law in this area – in its Digital Assets Project, the Law Commission is currently examining the issue of competing claims on digital assets and how remedies or legal actions can protect digital assets.

It may not be the last of these claims, either – the judge said she could see arguments for a duty of care from the developers when they had indeed committed wrongdoing. She gave examples of developers taking some responsibility when making software changes to ensure they were taking reasonable precautions not to harm users’ interests, but then, for example, introducing a malicious software bug that compromised network security. Alternatively, she said it was conceivable that some obligation could be placed on developers who had full control of the networks to fix bugs or other flaws that arise during system operation and threaten that operation.

Source link