ON APPEAL FROM HIGH COURT OF JUSTICE
BUSINESS AND PROPERTY COURTS OF ENGLAND AND WALES
BUSINESS LIST (ChD)
Mrs Justice Falk [2022] EWHC 667 (Ch)
BL-2021-000313
Royal Courts of Justice
Strand, London, WC2A 2LL
Before :
LORD JUSTICE LEWISON
LORD JUSTICE POPPLEWELL
and
LORD JUSTICE BIRSS
Between :
Tulip Trading Limited (a Seychelles company) | Appellant/ Claimant |
- and - | |
(2) Wladimir Jasper van der Laan (3) Jonas Schnelli (4) Pieter Wuille (5) Marco Patrick Falke (6) Samuel Dobson (7) Michael Rohan Ford (8) Cory Fields (9) George Michael Dombrowski (10) Matthew Gregory Corallo (11) Peter Todd (12) Gregory Fulton Maxwell (14) Roger Ver (15) Amaury Séchet (16) Jason Bradley Cox |
Respondents / Defendants
(1) Bitcoin Association for BSV
(a Swissverein)
(13) Eric Lombrozo
John Wardell KC, Bobby Friedman, Sri Carmichael (instructed by Ontier LLP) for the Appellant
James Ramsden KC (instructed by Bird & Bird LLP) for Respondents 2 to 12 & 15 to 16
Alex Charlton KC, Daniel Khoo (instructed by Brett Wilson LLP) for Respondent 14
Hearing dates: 7-8 December 2022
Approved Judgment
This judgment was handed down remotely at 10.45am on 3 February 203 by circulation to the parties or their representatives by e-mail and by release to the National Archives.
.............................
Lord Justice Birss:
The question in this appeal is whether the developers who look after bitcoin may arguably owe fiduciary duties or duties in tort to an owner of that cryptocurrency.
The problem arises in this way. Tulip Trading Limited, a company associated with Dr Craig Wright, claims to be the owner of some bitcoin with a very high total value (the value in $ expressed in April 2021 was about $4 billion). The bitcoin is held at two addresses on the blockchain called 1Feex and 12ib7. However the private keys have been lost in a hack, likely stolen. Without its private keys Tulip cannot access its assets or move them to safety. However, Tulip contends, the developers named as defendants in this case control and run the four relevant bitcoin networks, and it would be a simple matter for them to secure Tulip’s assets, e.g. by moving them to another address which Tulip can control. Tulip contends that the role the developers have undertaken in relation to Tulip’s property (the bitcoin) and the power this role gives them, and all the circumstances (discussed below), mean that the developers should be recognised as a new ad hoc class of fiduciary, owing fiduciary duties to the true owners of bitcoin cryptocurrency, including in this case Tulip as true owner of the bitcoin at 1Feex and 12ib7. The fiduciary duties owed should extend to implementing the necessary software patch to solve Tulip’s problem and safeguard Tulip’s assets from the thieves. Tulip also alleges the existence of certain duties in tort. The developers deny they owe fiduciary or any other duties to Tulip. They contend that they have nothing like the power or control Tulip alleges and that duties of the kind Tulip contend for would be highly onerous and unworkable.
All of the defendants are resident outside the jurisdiction. Tulip obtained leave from the Master to serve the defendants outside the jurisdiction and the matter came before Falk J on an application to set aside service brought by most of the defendants who had by then been served. They were the second to twelfth, fifteenth and sixteenth defendants. The first defendant did not challenge service and the thirteenth defendant has not responded.
There is no dispute here or below about the general approach to jurisdiction disputes of this kind. There are three matters to be addressed: a merits test relating to the claim itself, a test relating to the gateways for service out of the jurisdiction under CPR Practice Direction 6B, and a forum conveniens/discretion question focussed on whether England and Wales is the appropriate forum for the dispute (see e.g. VTB Capital plc v Nutritek International Corp & Ors [2012] EWCA Civ 808 (paragraphs 99-101)). The claimant bears the burden on all three points.
The judge addressed all three matters, ruling against Tulip on the first one (the merits). The conclusion was that Tulip had not established a serious issue to be tried because there was no realistic prospect of establishing that the facts pleaded amount to a breach of fiduciary or tortious duty owed by the defendants to Tulip.
On the second (gateway) and third (forum) matters Falk J reached conclusions in Tulip’s favour at paragraphs 138-165 and 166-168 respectively. There was also an allegation by the defendant applicants of lack of full and frank disclosure before the Master but this was rejected (at paragraphs 169-170). None of these other matters have been pursued on appeal.
Although not relevant to the appeal, given the international nature of this dispute, it may be worth briefly highlighting aspects of the judge’s now unchallenged conclusions that there was a good arguable case that the claim would fall within the court’s jurisdiction. There was no dispute that the cryptocurrency in issue was property (paragraph 141) and there was a good arguable case that Tulip was resident in the jurisdiction (despite being a Seychelles registered company) and that the property was located here (see the passage from paragraph 142, concluding at paragraph 158). Therefore the property gateway 11 (CPR PD 6B) was satisfied. For similar reasons gateway 9(a) (damage within the jurisdiction) was satisfied (paragraphs 159-164). In terms of forum, the conclusion (paragraph 168) was that there was no other jurisdiction with which the dispute had a closer link than England, or was even arguably the proper forum.
Many of the factual allegations made by each side were disputed by their opponents, and a significant volume of evidence had been filed. The judge held (paragraph 13) that “The Defendants' evidence was certainly not sufficiently strong to enable me to conclude that [Tulip’s] factual case was no more than fanciful.” There is no challenge to that conclusion, which in my judgment was the right one. The judge later (paragraph 52) expressly held that Tulip’s claim to ownership of the bitcoin and that the hack had occurred could not be dismissed summarily.
The judge approached the decision on the merits by identifying that the two claims (of breach of fiduciary duty and in tort) each depended on a point of law which could be decided, even assuming the facts alleged by the claimant in the claimant’s favour. The points of law were whether, on those facts, the defendants owed the alleged fiduciary duties or duties in tort.
The judge decided no such duties arose in law and so, since the claimant failed at the first limb, it followed that the judge’s order set aside the service on the relevant foreign defendants. The judgment is [2022] EWHC 667 (Ch), 25 March 2022. On appeal, the judge having refused permission, Andrews LJ gave permission on 10 August 2022. The fourteenth defendant was served after other defendants; and by various orders that defendant has joined the proceedings before this court on the same basis as the existing respondents to Tulip’s appeal.
Also before the judge was an argument about whether Tulip was seeking to change its case. The judge addressed this at paragraphs 114-125, refusing to take the new submission into account because no draft amended Particulars of Claim had been put forward and no application to amend had been made. On appeal Tulip produced a draft amended Particulars of Claim and, after prompting from the court, undertook to make an application to amend. I will come back to this below.
Approach to the merits test
The merits test can be summarised as being whether there is a serious issue to be tried, which is the same as there being a real as opposed to fanciful prospect of success, and is the same as the test for summary judgment (see e.g. AltimoHoldings and Investment Ltd v Kyrgyz Mobil Tel Ltd [2011] UKPC 7, [2012] 1 WLR 1804 at paragraphs 71 and 82, Vedanta Resources v Lungowe [2019] UKSC 20, [2020] AC 1045 at paragraph 42).
So far so good, but what is to be done about points of law? It is not easy to reconcile all the statements in the authorities on the approach to points of law on applications of this kind. The question boils down to whether jurisdiction applications are treated differently from other kinds of summary procedure. Is the court bound to decide a question of law, or at least should the court normally decide it, because the application is a jurisdiction application? Does it depend on whether the question goes to jurisdiction itself, i.e. the gateways, or “only” to the merits test? Moreover how does all this fit with another general principle, pulling in the opposite direction, that on a summary procedure it is no part of the court’s function “to decide difficult questions of law which call for detailed argument and mature consideration” (American Cyanamid v Ethicon [1975] AC 396 at 407, cited in this context in Altimo paragraph 84), and the frequent warning in the authorities against deciding controversial points of law in a developing area on assumed or hypothetical facts rather than on the basis of actual factual findings (e.g. Altimo paragraphs 84-86 and Begum v Maran (UK) [2021] EWCA Civ 326 per Coulson LJ paragraphs 23 and 71)?
In my judgment the same principles, about how to approach points of law, should apply to the merits test aspect of a jurisdiction application as to the test under the gateways, and I believe that view is supported by the first sentence of paragraph 86 of Altimo as follows:
“86. There is no reason why the same principle [that it is not normally appropriate in a summary procedure to decide a controversial question in law in a developing area] should not apply to the question whether, in a service out of the jurisdiction case on the “necessary or proper party” head, a claim is “bound to fail” as well as to the question whether there is a “serious issue to be tried” in the claim against D2.”
Therefore the court may, but is not bound in law to, decide any legal question arising, whether it is under the merits limb or the gateway limb. No doubt an important factor in deciding whether to do that will be the fact that the question goes to the jurisdiction of the court. If the point goes to jurisdiction and it can be decided summarily then no doubt it should be. However another important factor is the warning against deciding controversial points of law in a developing area on assumed or hypothetical facts. This concern does not cease to apply simply because the point arises in a jurisdiction application (whether under the merits test or the gateways). It is always an important factor to bear in mind.
The case on duty
To grapple with the case it is necessary to spend a bit of time on what bitcoin is, what the bitcoin networks are, the role of the developers in all this, and the position of Tulip. Much of what follows is taken from the corresponding section in the judgment (at paragraphs 16-35) but some of the points of emphasis and detail are different, no doubt owing to the way the case was put on appeal.
In October 2008 a famous paper, generally referred to as the “Bitcoin White Paper”, was published. Its actual title was Bitcoin: A Peer-to-Peer Electronic Cash System. The named author is “Satoshi Nakamoto”, which was a pseudonym. Dr Wright claims he is Satoshi Nakamoto. This is a hotly disputed claim and does not matter in this case.
The White Paper proposed a new online electronic cash system. The fact it is cash is important (and that is why the word “coin” is in the name bitcoin). The thing about physical cash is that it cannot be spent twice. Once I have handed over a physical coin to buy something from a shopkeeper, they now have it and I no longer do. I cannot spend it again. In the language of possession, before the transaction I possessed the token (and nobody else) while afterwards it is possessed by the shopkeeper. This characteristic of a physical coin is a key part of what allows the recipient of that token, and therefore everyone else, to place trust in the token’s value.
Electronic payment systems, which of course existed in 2008 as the White Paper acknowledged, solve the double spending problem in a different way because the payment systems are run by financial institutions, which both parties have to trust. The point of the White Paper was to propose a scheme using cryptographic methods to solve the double spending problem and create a form of electronic cash which does not rely on third party financial institutions.
Since then a number of different systems have been developed. Dr Wright maintains that the original bitcoin, and the only one properly so-called, is that held though the BSV Network. Like the judge, my use of the term bitcoin in this judgment reflects common usage, rather than being intended to express a view on that point, which is not relevant.
In the bitcoin scheme transactions are recorded in a ledger or database known as a blockchain, with each network having its own ledger. The blockchain constitutes a public registry recording every transaction. A given amount of bitcoin is simply a number held at a certain digital address. A transaction simply involves reducing the value at one address and correspondingly increasing it at another. Whether new addresses are created in this process does not matter for present purposes, as different cryptocurrencies work in different ways. The amounts held at every address are public, but the identity of the parties is not. The blockchain does not reveal the relationship between the digital addresses and any persons.
Each digital address is associated with a pair of public and private cryptographic keys. The public key identifies the address on the network. The relevant private key is the means by which bitcoin can be dealt with. The holder of the private key uses it to cryptographically sign a record of the transaction moving bitcoin from one address to another. The record is called a cryptographic hash. The public/private key pair means that the person signing with the private key is proving that they are associated with the public key (and so the address), without revealing the private key itself. The hash ensures that any attempt to alter the record would be noticeable, because even the smallest change would alter the hash.
For each network there are devices on the network that undertake "mining". This is the means whereby transactions are validated. The latest transactions are gathered together into a block, which also includes a hash of the previous block (hence each block is chained to its predecessor, making a “blockchain”). The miners work in competition with each other to produce an appropriate hash of this new block. The competition is to find a unique “number used once” or nonce, which causes the hash of the new block to have certain defined characteristics. This is called a "proof of work". Blocks that have been validated this way are broadcast to the network and incorporated into further work. Miners receive both transaction fees and new bitcoin.
The signing of the hashed transaction record with users’ private keys in the first place, and the incorporation of these records into a hashed chain of blocks produced by the proof of work, solves the double spending problem. This characteristic of bitcoin does not emerge as a matter of law or convention, it is a characteristic which arises as a matter of fact from the way the software works. As a result it is meaningful to describe bitcoin not merely as something which is transferable but as “rivalrous” (see the Law Commission’s recent Digital Assets: Consultation Paper [Law Com No 256]). For a transferable thing to be rivalrous, the holding of it by one person necessarily prevents another from holding that very thing at the same time. Because the holder cannot double spend their bitcoin, such that it is rivalrous, the cryptoasset can be said to be capable of assumption by a third party (see the definition of property in National Provincial Bank v Ainsworth [1965] 1 AC 65). Thus, as Bryan J held in AA v Persons Unknown [2019] EWCH (Comm) 3556 (paragraphs 55-61) citing Ainsworth, a cryptoasset such as bitcoin is property.
In a sense the token which is the bitcoin analogue of a real coin is the chain of cryptographically signed and validated transactions relating to the relevant entry in the ledger. Since every transaction relating to that token adds to its chain, some would say a fresh piece of property is created every time bitcoin is transferred, but there is no need on this appeal to get into that debate.
There are four bitcoin networks in issue in this case: BSV, BTC, BCH and BCH ABC. Dr Wright contends that these networks arose in chronological order, starting with BSV. Each later network started life as a copy of the blockchain of a pre-existing network (which is after all public) but by then applying different software thereafter. BTC was created by copying the BSV blockchain as it was in 2017, and subsequently BCH and BCH ABC were formed in a similar way. As the judge explained (paragraph 20):
“The effect of copying is that all historic transactions up to the point of creation of an additional Network are the same as for the Network from which the blockchain was copied. This is the reason that all four Networks are involved here: [Tulip’s] case is that the relevant assets were held on the BSV Network and have been replicated in the others through the process just referred to, including (in the case of the BCH ABC Network) after the hack occurred.”
Some of the foregoing is not accepted by the defendants but this appeal proceeds on the basis that it can be assumed to be correct.
Each network is supported by software called client software. Not only are the blockchains public, but the source code for the necessary client software for a given network is also public. The source code is made available on a public (“open source”) code database called GitHub. To participate in a given network participants run the source code for that network from the relevant database. It is that software which embodies the rules applicable to that network.
Anyone can propose a change to this software, however a change can only be implemented by someone with the relevant electronic password for the particular code database on GitHub. At least in the case of the software for the BTC Network, this is by a process called “merge commit”, but the detail does not matter. Tulip’s case is that the developers are in control of that software because they decide what amendments, if any, are made to the software. They hold the relevant passwords. This explains why the relevant defendants are called developers. They are software developers.
Tulip contends that the second to thirteenth defendants are the developers of the BTC Network, the fourteenth defendant is the developer for the BCH Network, and the fifteenth and sixteenth defendants are the developers of the BCH ABC Network.
This software development process is an ongoing one. No software is static. Although the code develops over time in other ways, it is instructive to consider software bugs briefly. The existence of bugs comes to light and they will then need to be fixed. This applies to bitcoin like any other software. However even that can involve judgment, since there may not be agreement that the alleged bug in the software is a bug at all and, even if that is agreed, there may not be a consensus on how to fix it. It is the developers who make this decision. It can be as much a decision not to fix something which some people contend is a bug, as it is a decision to introduce a fix and change the way the software works. When the developers introduce new software, that may operate in unexpected ways, introducing new (alleged) bugs.
Notably, says Tulip, it is not miners who control the software. If a miner operating on a given network failed to apply a given software update, then, as the judge explained in paragraph 33, they would become unable to mine the network in question from the perspective of the majority of users, which would be against their (substantial) commercial interests or the interests of those who control them.
The defendants challenge this description of the developers’ position and of the likelihood that software updates would be accepted. The debate involves the concept of “decentralisation”, which includes the suggestion that the developers are better seen as a large and shifting class, and the idea of “forks”. It is summarised in the judgment at paragraphs 34 and 35:
“34. The Defendants challenge this, portraying (particularly in the case of the BTC Developers) a decentralised model in which, to the extent that they are or continue to be involved in software development for the Networks (which is disputed for some of them), they are part of a very large, and shifting, group of contributors without an organisation or structure. Further, any change that they were able to propose to address [Tulip’s] complaint would be ineffective, because miners would refuse to run it and instead would continue to run earlier versions of the software. What [Tulip] sought went against the core values of bitcoin as a concept. A disagreement could lead to a "fork" in the Networks, resulting in the creation of additional networks rather than a resolution of the issue. The Fifteenth and Sixteenth Defendants also claim that if they attempted to make the changes sought to the BCH ABC Network it would have a severely detrimental effect on their reputations, and participants would refuse to adopt them.
35. [Tulip] disputes this, maintaining that there is no mechanism among miners that could allow for a collective refusal to accept a software update, the consensus mechanism that does exist being limited to the acceptance by nodes of blocks of transactions verified by other nodes (by using the hash value produced as the starting point for the next block), rather than relating to the protocols that govern the Network. A fork would only be created if some of the developers refused to make the change. If some developers produced rival protocols, then a split could occur, such as those that resulted in the different Networks in this case. However, the controlling developers are parties to these proceedings and would be bound by the court's order.”
That debate could not be resolved in the jurisdiction application, nor on this appeal, although one ground of appeal is a submission that part of the reasoning in the judgment involved an unwarranted acceptance of part of the defendants’ disputed case on decentralisation.
At this stage I refer to the academic literature, which was cited below. A paper refers to “the myth of decentralised governance” and argues that the developers of public blockchain systems like bitcoin are fiduciaries. The paper is entitled “In Code(rs) we trust: Software Developers as Fiduciaries in Public Blockchains” by Angela Walch of St Mary’s University San Antonio Texas and UCL Centre for Blockchain Technologies and appears as a chapter in Regulating Blockchain, Techno-Social and Legal Challenges, edited by Hacker, Lianos, Dimitropoulos & Eich, OUP, 2019. Nevertheless there is also academic literature supporting the contrary view, i.e. Haque et al “Blockchain Development and Fiduciary Duty” Stanford Journal of Blockchain Law and Policy, 2019, Vol 2.2 pp139-188.
The judgment refers to this literature compendiously at paragraph 66 noting that it is not written from an English legal perspective. That is true. Nevertheless it seems to me that the Walch paper in particular provides independent support, if it were needed, for the idea that Tulip’s challenge to the case on decentralisation is arguable.
The position of Tulip concerning its ownership of the bitcoin and the hack was addressed fully by the judge in paragraphs 23-31. To recap briefly, Tulip claims that it is the owner of bitcoin at the addresses mentioned above. It also claims that the relevant private keys were kept in encrypted electronic file(s) which were password protected. The loss of the files due to a hack was discovered in February 2020 and reported to Surrey police (Dr Wright lives in Surrey). Dr Wright believes the bitcoin may not have been moved from the addresses because although the hackers have taken the files, they cannot crack the encryption which protects the private keys inside them.
One might wonder how Tulip’s bitcoin (assuming that is what it is) can be transferred without the private key and so restored to Tulip. The answer is Tulip’s submission that it is incorrect to suggest that bitcoin may only be transferred using private keys. It is true that as the bitcoin software is currently coded, a user cannot transfer bitcoin on the blockchain other than with the relevant private key, however, as the judge explained in paragraph 21:
“21. Dr Wright maintains that it is not technically difficult for a patch to the computer code that operates the relevant Network to be developed which would have the effect of transferring the digital assets to which access has been lost to a new address. That new address would have a (new) private key, which the rightful owner could then use to regain access to their digital assets, and a public key. [Tulip] claims alternatively that the patch the Defendants could provide could ensure that [Tulip] regains control of the assets in their existing locations, which I assume would involve allocating replacement private keys to the existing addresses. In either case, however, the relief sought is a patch which would resolve the position for [Tulip] alone.”
One aspect of the defendants’ case is that if such a patch was added to the bitcoin network source code at the relevant GitHub database, then the miners might not accept it and a fork would or may occur, but the likelihood of that happening is an aspect of the dispute on decentralisaton which cannot be resolved without a trial.
The essence of Tulip’s case is that the result of all this is that the developers, having undertaken to control the software of the relevant bitcoin network, thereby have and exercise control over the property held by others (i.e. bitcoin), and that this has the result in law that they owe fiduciary duties to the true owners of that property with the result that, on the facts of this case, they are obliged to introduce a software patch along the lines described above, and help Tulip recover its property.
The law on the incidence of a fiduciary duty
For the purpose of this appeal the case on whether the defendants owe a duty in law on these facts can focus entirely on the fiduciary duty. As the case was argued by the claimant, the duties in tort only arise if the defendants do owe a fiduciary duty. Even if there is a fiduciary duty, it does not follow that the pleaded duties in tort necessarily must arise but there is a sufficiently close relationship between the issues that if the appeal should be allowed on fiduciary duty, the right course would be to allow the appeal on the tortious duties as well and allow the case as a whole to go forward.
The classic definition of a fiduciary was set out by Millett LJ in the following passage from Bristol and West Building Society v Mothew[1998] Ch 1 at 18A-C:
“A fiduciary is someone who has undertaken to act for or on behalf of another in a particular matter in circumstances which give rise to a relationship of trust and confidence. The distinguishing obligation of a fiduciary is the obligation of loyalty. The principal is entitled to the single-minded loyalty of his fiduciary. This core liability has several facets. A fiduciary must act in good faith; he must not make a profit out of his trust; he must not place himself in a position where his duty and his interest may conflict; he may not act for his own benefit or the benefit of a third person without the informed consent of his principal. This is not intended to be an exhaustive list, but it is sufficient to indicate the nature of fiduciary obligations. They are the defining characteristics of the fiduciary.”
Millett LJ’s test has often been cited with approval, including by the Supreme Court in FHR European Ventures LLP v Cedar Capital Partners LLC [2014] UKSC 45, [2015] AC 250, at paragraph 5 and, more recently, in Children's Investment Fund Foundation (UK) v Attorney General and others (also referred to as Lehtimaki v Cooper) [2020] UKSC 33, [2022] AC 155. In the latter case at paragraph 44 Lady Arden said:
“There has been considerable debate as to how to define a fiduciary, but it is generally accepted today that the key principle is that a fiduciary acts for and only for another. He owes essentially the duty of single-minded loyalty to his beneficiary, meaning that he cannot exercise any power so as to benefit himself.”
Tulip framed its case by reference to the “reasonable expectations” of persons about the behaviour of a putative fiduciary. The idea of using “reasonable expectations” as a tool for identifying a fiduciary relationship seems to stem from academic work by Professor Paul Finn (later Finn J). One way of expressing the idea is as follows:
“… a person will be a fiduciary in his relationship with another when and insofar as that other is entitled to expect that he will act in that other’s interest to the exclusion of his own several interest.”
[taken from a 1989 article by Professor Finn, cited in the judgment of Newey J in Vivendi v Richards [2013] EWHC 3006 (Ch) para 138]
However in Children’s Investment Fund in the Supreme Court Lady Arden referred to the fact that the Court of Appeal in the same case had adopted a test based on reasonable expectations (put forward by Finn J, by then a judge sitting in the Federal Court of Australia, in Grimaldi v Chameleon Mining NL (No 2)(2012) 287 ALR 22, para 177). At paragraph 48 Lady Arden said:
“This formulation introduces the additional concept of reasonable expectation of abnegation of self-interest. Reasonable expectation may not be appropriate in every case, but it is, with that qualification, consistent with the duty of single-minded loyalty.”
Therefore, at least in this jurisdiction, the concept of reasonable expectations may have explanatory power after the event in some cases but cannot be used as a touchstone for classifying a relationship as fiduciary or not. The definitive test remains as set out in Mothew.
Tulip also relied on Mason J’s dissenting judgment in Hospital Products Ltd v United States Surgical Corp [1985] LRC (Comm) 441 (another Australian case) for the proposition that an imbalance of power and vulnerability are the defining characteristics of a fiduciary relationship. However, as pointed out by the respondents, the Chief Justice, with whom the majority agreed, said at paragraph 32 that: “it is clear that [inequality of bargaining power] alone is not enough to create a fiduciary relationship in every case and for all purposes”.
It also important to note that the question of whether someone is a fiduciary is an objective one. As set out in Mothew at 18C: “[the fiduciary] is not subject to fiduciary obligations because he is a fiduciary; it is because he is subject to them that he is a fiduciary.” As explained by Sales J in F & C Alternative Investments (Holdings) Ltd v Barthelemy (No.2) [2011] EWHC 1731 (Ch), [2012] Ch 613 at paragraph 225, fiduciary obligations are “imposed by law as a reaction to particular circumstances of responsibility assumed by one person in respect of the conduct of the affairs of another". In Vivendi SA v Richards [2013] EWHC 3006 (Ch), [2013] BCC 771 at paragraph 139, Newey J put it clearly that: “the question whether there was such an undertaking/assumption must be determined on an objective basis rather than by reference to what the alleged fiduciary subjectively intended”.
Finally, Mothew also clarifies at 18H that a fiduciary is in breach of their obligation of undivided loyalty if they act for two principals who have potentially conflicting interests without obtaining the informed consent of both.
The judgment below
The judge held (paragraphs 53-83) that, assuming in Tulip’s favour that it would be able to establish the facts on which it relies at a trial, nevertheless Tulip had no realistic prospect of establishing that a fiduciary duty of the kind alleged was owed by the defendants to Tulip. The detailed reasoning in support of this conclusion is in paragraphs 73 to 83.
At paragraph 73 the judgment characterises the foundation of Tulip’s case as the alleged imbalance of power combined with the fact that Tulip had ‘entrusted’ its property to the defendants. Imbalance of power is rejected as relevant because it is not a defining characteristic or a sufficient condition for the existence of the duty. On entrustment the finding is that:
“73 … Further (and to the extent relevant), I do not think that bitcoin owners can realistically be described as entrusting their property to a fluctuating, and unidentified, body of developers of the software, at least in the sense and to the extent claimed by [Tulip].”
Paragraph 74 addresses the developers’ ability to introduce for their own advantage a bug or feature into the software that compromised owners’ security but served their own purposes, finding:
“74 … I can see that it is conceivable that some form of duty could be engaged in that situation, although whether it would properly be characterised as a fiduciary duty is another matter. At least it could be said that in that situation the developers making the update had arguably assumed some responsibility by performing that function, although I think it is much more doubtful whether that would amount to a relationship requiring single-minded loyalty.”
Paragraph 75 and later paragraph 82 address the fact that Tulip’s case involves the imposition of a positive duty (to introduce a software patch), acknowledging that Attorney General v Blake [1998] Ch 439 did not exclude the possibility of the court requiring a fiduciary to perform positive steps. The positive duties alleged by Tulip are held to go well beyond the kinds of activity recognised in previous cases (paragraph 82 last sentence). Also in this respect paragraph 75 notes that the assumption of responsibility Tulip has to rely on is:
“the Defendants' alleged control of the Networks and their alleged ability to make a change to the software, irrespective of whether they are actually engaged in making changes, and in the absence of any more general contractual or other obligation to make changes in the future.”
At the end of paragraph 75 the point is made that it cannot realistically be argued that the defendants owe continuing obligations to remain as developers and make future updates whenever they might be necessary.
Paragraphs 76-80 address what is described as a fundamental difficulty for Tulip, i.e. the defining characteristic of a fiduciary relationship - the obligation of undivided loyalty. Tulip had accepted that the fiduciary duty it relies on must be owed to bitcoin owners generally, however the difficulty which remains was said to be that the steps that Tulip would require to be taken were a specific software patch for its benefit alone rather than a systemic change for the benefit of other users. This could be to the disadvantage of other participants in the Network, most obviously to those with a rival claim to the assets. Tulip’s answer to that latter point was that the duty owed is to the true owner of bitcoin and not others, and that if Tulip were established as the true owner then the relief sought would not breach any duty owed to other claimants. This raised a point on the nature of a declaration of ownership operating in personam rather than in rem and issued under CPR r40.9.
However the judge’s main reason for rejecting Tulip’s answer on this issue is given in paragraphs 78 to 79:
“78 I do not consider that this [the argument the duty is owed to the true owner] is a sufficient answer. It is uncontroversial that a fundamental feature of the Networks, at least in their existing form, is that digital assets are transferred through the use of private keys. TTL effectively seeks to bypass that. There must be a real risk that acceding to TTL's demands would not be consistent with a duty of single-minded loyalty owed to other users.
79. At a general level, some users may not agree that a system change that allowed digital assets to be accessed and controlled without the relevant private keys, contrary to their understanding of how the system is intended to operate, accords with their interests, even if made only following an order of the English court declaring that TTL owns those assets. …”
Then at paragraph 80, the judgment again refers to rival claimants for the bitcoin and highlights the problem that in acceding to Tulip’s demand the defendants may be exposed to risk on their own account. Such a claim would not necessarily be brought in the English court. This passage concludes as follows:
“80 … Even if it could be argued that there was some form of relationship of trust and confidence, it does not follow that a duty of loyalty arises to TTL to the exclusion of the interests of others, whether third parties or the Defendants themselves.”
Finally at paragraph 81 the concept of legitimate expectation is found to be useful in the present case on the footing that there is no realistic prospect of establishing that there was a reasonable, or legitimate, expectation, that the Defendants would act only in Tulip’s interests, in circumstances where that could expose them to real risk.
In conclusion paragraph 83 is as follows:
“83. As already indicated, at a general level I can see that any holder of digital assets on the Networks will have certain expectations, for example about the security of the Network and private keys, the efficacy of the "proof of work" processes and indeed anonymity. A software change that compromised these might engender some cause for complaint by users (although that is far from saying that any duty that might arise in those circumstances would necessarily be in the nature of a fiduciary duty). But what I cannot see is a realistic basis for concluding that the pleaded facts could provide a basis for the imposition of a fiduciary duty in favour of [Tulip], together with a conclusion that that duty has been breached.”
Thus the claim based on fiduciary duty failed.
At this stage it is convenient to address the part of the judgment dealing with the change in Tulip’s case. This was covered in paragraphs 114-125. There was a debate about procedure but the point of substance was that one of the difficulties about Tulip’s case was that it required the defendants to investigate and make decisions about the (potentially) disputed ownership of the relevant bitcoin and then give effect to those decisions. This reflected the fact that Tulip pleaded that the defendants were already in breach of the duties. Tulip sought to answer this by submitting that its case included a contention based on anticipated breach. In other words an argument that while the defendants may not be in existing breach of the duty now, because the court has not yet positively declared that Tulip is indeed the owner, nevertheless the defendants’ position was already clear that even if the court did grant such a declaration, they would not act in the manner Tulip said they should. Therefore although the breach had not yet occurred, it could clearly be anticipated in the circumstances. After all the key remedy sought by Tulip in this case is an injunction to require the developers to act.
In terms of procedure, Tulip argued that there was no need to amend pleadings because this case was already covered by the existing pleadings. The judge held (paragraph 117) that this anticipatory case was not covered by the existing pleading. Therefore (paragraph 125) while permission to amend might have been granted if a proper application had been made, subject to costs, there was no such application and without it Tulip were not entitled to pursue this alternative case.
The judgment on the merits ends with two final matters – policy considerations (paragraphs 129-135) and a point on effectiveness of remedies (paragraph 136-137). In relation to policy, paragraph 133 accepts that the case raises important issues. However as the paragraph (and para 134) concludes, rightly in my view, the fact that a case raises important or difficult issues does not help if there is no serious issue to be tried. The section on policy ends at paragraph 135 with a reference to the current Law Commission project on digital assets, which includes as areas for consideration both competing claims to digital assets and how legal remedies or actions can protect them, stating that:
“135. … whether the law should be developed in a way that would address all or part of [Tulip’s] case is no doubt something that could be considered by the Law Commission and, if appropriate, by Parliament.”
The point on the effectiveness of remedies related to the status of others who were not defendants and who might frustrate the purpose of the injunction sought in this case by Tulip. At paragraphs 136-137 the judge concluded it was not necessary to decide the issue. I agree.
The grounds of appeal
Permission was given on 6 grounds. It is convenient to start with Ground 6, which relates to the change in Tulip’s case. I am not surprised the judge refused to permit Tulip to rely on its alternative case in the circumstances as they were below. However Tulip has now provided draft Amended Particulars of Claim and has undertaken to apply to amend. Given the very early stage which these proceedings have reached, the only prejudice which would now be caused if permission is given can be compensated in costs. That means that the alternative case can be considered in this court, as part of the analysis of the other grounds of appeal.
Of the five remaining grounds, there is no need to consider ground 5 because it relates to duties in tort and as explained above, the tort case cannot succeed without the fiduciary claim but if the appeal succeeds on fiduciary duty, the same should follow for the tort claim.
The four relevant grounds of appeal are, very briefly:
Ground 1: this is a developing, complex and uncertain area of law and therefore the point ought to go to trial;
Ground 2: the conclusions are in error because they are based on findings impermissibly assumed against Tulip (5 specific points are taken);
Ground 3: Taking into account the Law Commission project was an error;
Ground 4: The judge was wrong to hold that Tulip has no real prospect of establishing that the claimed fiduciary duties exist (this ground involves 7 specific points).
Of these grounds, the real issues relate to ground 2 and 4. Ground 1 is best considered as a theme of Tulip’s overall submissions rather than a free-standing submission. It is not capable of turning a case in which there really is no serious issue to be tried into a viable action which ought to go ahead. Ground 3 is a minor point and a poor one. The submission is that the reasoning in paragraph 135 in effect used the existence of the Law Commission’s project as a reason for not finding a fiduciary duty in this case. In fact by this stage of the judgment it is clear that the judge had formed the view that there was no serious issue to be tried. The relevant observation that the Law Commission is undertaking a project in this area was not deployed as a reason for denying a duty. It was an accurate observation that if the law should be developed beyond the point the judgment had identified then that is something the Law Commission could consider.
Two grounds are advanced by the respondent’s notice. The first is that even if, which is denied, the judgment does proceed on a factual premise wrongly assumed against Tulip, even absent those matters Tulip’s case still fails. The second is that regardless of whether it is permitted for Tulip to advance its alternative case, it does not raise a serious issue to be tried. In relation to the alternative case, there is a point on remedies which I will address below in context.
Assessment
I start the analysis with the passage from Mothew cited above. As counsel for Tulip submitted, what Mothew shows is that a fiduciary is someone who has undertaken a role with the relevant characteristics. Key characteristics are that the role involves acting for or on behalf of another person in a particular matter and also that there is a relationship of trust and confidence between the putative fiduciary and the other person. The reason for spelling this out is because in the present case, in my judgment, the developers are people who it is clearly arguable have undertaken a role which at least bears some relationship to the interests of other people, that is to the owners of bitcoins. Of course getting this far in the analysis is not sufficient to fix the developers with fiduciary duties, but these are important features of the circumstances, and they are also necessary components of what it means to be a fiduciary.
Next, it is relevant to observe that the facts of this case (whichever party is right about the details) are new and quite a long way from factual circumstances which the courts have had to examine before in the context of fiduciary duties. The categories in which fiduciary relationships can be identified are not closed; albeit that it is exceptional for fiduciary duties to arise other than in certain settled categories (per Leggatt J at paragraph 157 of Al Nehayan v Kent [2018] EWHC 333, [2018] 1 CLC 216). Nevertheless the common law often works incrementally and by analogy with existing cases, and rightly so; but if the facts change in a way which is more than incremental I do not believe the right response of the common law is simply to stop and say that incremental development cannot reach that far.
The unusual factual feature of the present case is that literally all there is, is software. A physical coin has properties which exist outside the minds of people who use it and in that sense is tangible. Bitcoin is similar. It also has properties which exist outside the minds of individuals, but those properties only exist inside computers as a consequence of the bitcoin software. There is nothing else. And crucially, asserts Tulip, it is the developers who control this software. On Tulip’s case that control is very significant. In a bank the software developers as individuals will be tasked with maintaining the source code for the bank’s accounts and payment systems, but they are subject to ultimate control by the board (and subject to regulation). The bank’s developers have nothing like the control over the customer’s assets which Tulip alleges the bitcoin developers have over bitcoin. These allegations are heavily contested by the developers in this case, who advance their case on decentralisation, but that cannot be resolved on this application or appeal.
A further aspect of Tulip’s case is to examine the manner in which the developers exercise their control over the software. Focussing on a software bug, if a third party identifies such a problem and the developers agree it should be fixed, then the developers will no doubt act to introduce a change in the source code in the relevant GitHub account, and computers on the network will update the software they are running (absent a fork, which again can only be a matter for trial). In other words the fulfilment of their role as developers involves taking active steps to update the code. It is not limited to such active steps, because the developers can also decline to update the code, but the role has a clear positive element.
This analysis also demonstrates that the role involves the exercise of authority by the developers, given to them by their control of access to the source code, and it is a decision-making role, in effect making decisions on behalf of all the participants in the relevant bitcoin network, including miners and also including the owners of the bitcoin. These features, of authority and of discretionary decision making, are common to fiduciary duties (see Al Nehayan paragraph 159).
A point which took on more significance on appeal than it may have had below is whether it is arguable that the developers owe at least some kind of fiduciary duty to bitcoin owners, different from the one pleaded by Tulip. The example would be a duty not to introduce a feature for their own advantage that compromised owners’ security, referred to in judgment paragraph 74.
I agree with the judge that it is indeed conceivable that relevant individuals – when they are acting in the role of developers – should be held to owe a duty in law to bitcoin owners not to compromise the owners’ security in that way. It would be a duty which involves abnegation of the developer’s self-interest. It arises from their role as developers and shows that the role involves acting on behalf of bitcoin owners to maintain the bitcoin software. It is also single minded in nature at least in the sense that it puts the interests of all the owners as a class, ahead of the developer’s self-interest. It is, I would say, arguably a fiduciary duty. It is difficult to see what other sort of duty it could be.
The significance of this conclusion is that it undermines part of the defendants’ case, which if correct would deny any fiduciary duty of any sort. One of the points made in the judgment (at paragraph 73) is that there is no entrustment by owners because the developers are a fluctuating and unidentified body. Tulip does not agree with that characterisation. It is in fact part of the developers’ case on decentralisation and, no doubt inadvertently, the judgment here accepted a highly contested fact as a premise. In my judgment, as Tulip submits on appeal ground 2C and 4A, this is a significant flaw in that part of the reasoning. Moreover if such a point were sound, it would be just as good as a reason to deny the fiduciary duty I have just identified as arguable.
A further step from here is to examine whether the arguable duties arising from the role the developers have undertaken include not only a negative duty not to exercise their power in their own self-interest but a positive one to introduce code to fix bugs in the code which are drawn to their attention. It would be a significant step to define a fiduciary duty in that way, but since the developers do have the practical ability to prevent anyone else from doing this, one can see why a concomitant duty to act in that way is properly arguable. Without the relevant password (etc.) for the bitcoin software account in Github, no one else, such as a concerned bitcoin owner, could fix the bug. If a bitcoin owner identified a bug and wrote the code to fix it, that fix could still only be implemented if the developers agreed to do so in the exercise of their de facto power. In a very real sense the owners of bitcoin, because they cannot avoid doing so, have placed their property into the care of the developers. That is, in my judgment, arguably an “entrustment”.
Moreover, in terms of legitimate expectations (see judgment paragraph 81) it is realistic to say that bitcoin owners have a legitimate expectation that the developers will not exercise their authority in their own self-interest to the detriment of owners, and that they will act in good faith to use their skills to fix bugs in the software drawn to their attention.
Again if this analysis is arguably correct, as I believe it to be, it undermines the defendants’ case about competing interests and undivided loyalty (see judgment 76-80). There may well not be a consensus amongst bitcoin owners that a given bug should be fixed in a particular way or at all. But the developers will still make a decision to make a change or not, and no doubt act in good faith in doing so. The fact there may not be a consensus amongst owners does not of itself undermine the conclusion that the duty of developers is fiduciary in nature. If anything it serves to underline the fact that the owners really do place trust in the developers to make good decisions on their behalf. The informed consent of the owners as a whole to the developers to exercise their authority this way can be inferred from the circumstances (cf Mothew at 18H and Kelly v Cooper [1993] AC 205). Trustees will often have to make decisions which have the result of favouring the interests of one beneficiary over another, but that does not mean they cease to be fiduciaries as a result. Therefore even if a change was only for the benefit of one owner (such as in this case), that does not preclude it being in accordance with the relevant fiduciary duty.
The final step relates to the specific duties pleaded in this case. These undoubtedly go even further. Focussing on Tulip’s case as amended and putting it at its highest, the duty is said to arise when it is established (e.g. by a court of competent jurisdiction) that the true owner of the bitcoin at a certain address is unable to access it because their private key has been stolen by thieves. The true owner’s property is vulnerable because the thieves might be able to extract the private key from what they have stolen and transfer the owner’s bitcoin for themselves. The duty which is said to arise in these circumstances is to introduce a code update which will transfer that bitcoin into a safe account controlled by the true owner or which will safeguard that bitcoin in some other way.
Tulip’s amended case arguably removes one of the difficulties with its case as put previously, that the developers were already in breach only because they had not acted after Tulip raised its claim with them. The amended case puts the duty on the basis that it is only breached if the developers do not act with the benefit of a decision of a court of competent jurisdiction on the ownership of the property. The developers do not have to adjudicate the dispute themselves.
Nevertheless I recognise that a decision of this court in a dispute within its jurisdiction will only be in personam and not in rem, but that is true in any or at least most property disputes. A question posed is the risk to which developers may be exposed by an order of this court based on a decision that they are in breach of fiduciary duty. What if a rival claimant went to a different court and obtained a contrary judgment or order? The answer in my judgment is that this concern, which I accept may not be fanciful, cannot be a reason why there is not a serious issue to be tried in what would otherwise be a properly arguable case within the court’s jurisdiction. Taken to its logical limit the problem would arise whichever court a claim of this kind came before and would lead to the view that there is no court which can adjudicate the claim. That is not right. The internet is not a place where the law does not apply. It is worth repeating a point made at the beginning that there is no challenge at this stage to the judge’s ruling that this case involves property situated in this jurisdiction.
In paragraphs 78 and 79 the judgment notes that the change sought by Tulip would bypass what is currently a fundamental feature of the networks, namely that private keys are the only way to transfer the digital assets. This is said to risk being contrary to the duty of single minded loyalty but as I have explained above, the developers are already arguably entrusted with decision-making for the benefit of the owners as a class, even if some owners object. That loyalty seems to me to be capable of being sufficiently single minded to satisfy a legal test of fiduciaries.
In terms of the nature of the activity required to fulfil the duty, it is relevant that it is an act of the same kind as the actions the developers undertake to fulfil their ordinary role, i.e. a code update. The difference between positive and negative steps is very fact dependent. There is not always a clear cut distinction. The only real difference between the activity alleged to be required to fulfil this duty and the normal acts of the developers lies in the circumstances triggering it. I therefore do not regard the fact that updating software involves a positive step by the developers (cf AG v Blake) is a sound basis for saying there is no realistic prospect of success.
Pulling all this together, I recognise that for Tulip’s case to succeed would involve a significant development of the common law on fiduciary duties. I do not pretend that every step along the way is simple or easy. However there is, it seems to me, a realistic argument along the following lines. The developers of a given network are a sufficiently well defined group to be capable of being subject to fiduciary duties. Viewed objectively the developers have undertaken a role which involves making discretionary decisions and exercising power for and on behalf of other people, in relation to property owned by those other people. That property has been entrusted into the care of the developers. The developers therefore are fiduciaries. The essence of that duty is single minded loyalty to the users of bitcoin software. The content of the duties includes a duty not to act in their own self interest and also involves a duty to act in positive ways in certain circumstances. It may also, realistically, include a duty to act to introduce code so that an owner’s bitcoin can be transferred to safety in the circumstances alleged by Tulip.
In reaching this conclusion I have addressed all the major points advanced by Tulip on this appeal, as well as the first ground of the developers’ respondent’s notice. They were: the fluctuating class of developers/ decentralisation / entrustment (ground 2C and 4A), single minded loyalty and conflicting duties (ground 4B and 4C), rival claimants, risks to the developers and expectations (ground 4D and 2A), positive steps (ground 4F), a change only for one owner’s benefit (ground 4E).
I have not addressed the imbalance of power directly (ground 4G) because it does not add anything to the fiduciary analysis. I believe it is a potential distraction, which is a similar reason to the judge’s decision to put that point to one side. Nor have I addressed ground 2D (owners are anonymous) or 2E (insurance) because they do not advance the issues.
Respondent notice ground 2 - remedies
Respondent’s notice ground 2, as put in relation to Tulip’s alternative case, is that the injunction sought if Tulip’s case was made out is not realistically arguable because Tulip has not sought relief “against the alleged hackers or the operators of the wallets from which the bitcoin was allegedly stolen”. To the extent this point was still pressed in this case, it is not a good one. It is true that today there is a well-developed practice of interim remedies relating to cryptoassets in the Business and Property Courts, including the Commercial Court and the Chancery Division. This includes freezing orders such as those against cryptocurrency exchanges and/or the holders of private keys, and information orders. However it was accepted in argument, rightly in my judgment, that none of these remedies would avail this claimant in this case because, on its case, Tulip does not know who stole the private keys.
The right place to examine the efficacy of remedies in this case would be at trial.
Conclusion
I would allow this appeal. The conclusion is not that there is a fiduciary duty in law in the circumstances alleged by Tulip, only that the case advanced raises a serious issue to be tried. The time to decide on the duty in this case is once the facts are established. As the judgment itself showed, to rule out Tulip’s case as unarguable would require one to assume facts in the defendant developers’ favour which are disputed and which cannot be resolved this way. If the decentralised governance of bitcoin really is a myth, then in my judgment there is much to be said for the submission that bitcoin developers, while acting as developers, owe fiduciary duties to the true owners of that property.
Lord Justice Popplewell:
I agree.
Lord Justice Lewison:
I also agree.