Lost your bitcoin private key? Bitcoin developers are not required to grant you access
28 June 2022
Buyers of bitcoin beware: if you lose your online banking password or PIN the solution is to contact your bank and ask for a new one. However, if you lose the private key to your bitcoin, the High Court has confirmed that bitcoin software developers are not required to assist you in regaining access to your bitcoin: Tulip Trading Ltd v Bitcoin Association for BSV & ors  EWHC 667 (Ch).
Cryptocurrencies: the basics
Cryptocurrencies like bitcoin are non-state backed “currencies” represented digitally within a system which uses cryptographic authentication so only the holder of the private key can deal with the asset. Dealings are broadcasted to a network of participants and, once confirmed as valid, added to a digital ledger. The ledger is distributed so that no one participant is in control of it.
The software underlying bitcoin is open source. This means that anyone can view and propose changes to the code, typically to fix existing issues or propose upgrades. Proposed changes are reviewed by other software developers and the network as a whole then decides whether to accept them.
Disagreements over whether to implement proposed changes have resulted in so-called “hard forks” which have led to there being different variations of the original bitcoin. The court collectively referred to the different variations (BTC, BCH, BSV and BCH ABC) as bitcoin and, for convenience only, this note will adopt that approach.
Background to the hack
The claimant is a Seychelles incorporated company. Its CEO is Dr Craig Wright who claims to be Satoshi Nakamoto, the pseudonymous inventor of bitcoin who disappeared in 2011, although that claim is widely disputed.
Following a hack of computers located at Dr Wright’s home office in England (in which files containing private keys were stolen), the claimant said it was unable to access over GBP 3 billion worth of bitcoin. Instead of pursuing the anonymous hackers, the claimant sued the defendants who it said were the core developers and/or otherwise controlled the software of four bitcoin networks.
The claimant claimed that the defendants owed it fiduciary and/or tortious duties to assist it in regaining access to its bitcoin. It sought a declaration that it owned the bitcoin and orders requiring the defendants to take steps (by implementing a software patch) to ensure that it could access its bitcoin. Alternatively, it sought equitable compensation or damages.
None of the defendants were in the jurisdiction. Permission to serve the defendants out of the jurisdiction had previously been granted by the court. In the present application almost all the defendants challenged jurisdiction.
The test for whether permission should be granted for service out of the jurisdiction is that:
- there is a serious issue to be tried on the merits of the claim;
- there is a good arguable case that the claim falls within one or more of the jurisdictional gateways; and
- England is clearly or distinctly the appropriate forum for the trial of the dispute and the court ought to exercise its discretion to permit service out of the jurisdiction.
Bitcoin developers are not fiduciaries
A fiduciary is someone who has undertaken to act for or on behalf of another in circumstances which give rise to a relationship of trust and confidence. Bitcoin software developers do not fall into any previously recognised categories of fiduciaries (such as trustees or agents).
The claimant argued that the defendants owed it fiduciary duties because there was a significant imbalance of power owing to the defendants’ control of the networks and bitcoin owners effectively had entrusted the care of their bitcoin to the defendants. The defendants were therefore required to take all reasonable steps to provide the claimant with access to the bitcoin; and they were in breach by failing to do so.
The defendants disputed the claimant’s factual allegations that they controlled the networks and that it would be possible to implement a software patch to grant the claimant access to the bitcoin. They pointed to the following factors: bitcoin’s decentralised model; the very large and shifting group of developers of which they were part; and the likelihood that the community (specifically miners) would reject a software patch that “went against the core values of bitcoin as a concept”. The defendants also disputed that they were fiduciaries as a matter of law.
The court concluded that, even if the claimant’s factual allegations were true, the defendants were not fiduciaries because:
- an imbalance of power on its own was not sufficient;
- bitcoin owners could not realistically be described as entrusting their property to a fluctuating and unidentified body of developers;
- undivided loyalty to the claimant (which is the distinguishing feature of a fiduciary relationship) was not possible as the defendants would owe fiduciary duties to all bitcoin owners which could come into conflict (for example, the software patch demanded by the claimant would undermine the fundamental feature of the networks that bitcoin can only be transferred through the use of private keys); and
- the claimant’s demands could expose the defendants to risk, including claims from bitcoin owners generally and any rival claimants to the inaccessible bitcoin.
Bitcoin developers did not owe a duty of care
The claimant also argued that the defendants owed and were in breach of a tortious duty of care by, amongst other things, failing to assist it in regaining access to its bitcoin. The claimant accepted that this tortious duty would be novel but argued that it was a permissible incremental extension of the law. Firstly, the fiduciary relationship amounted to the necessary special relationship (required in cases of pure economic loss). Secondly, an analogy could be drawn with the Quincecare duty that a bank should refrain from executing a customer’s order if put on enquiry that it was an attempt to misappropriate funds because the developers (as controllers of the networks) could be equated with financial institutions.
The defendants argued against the existence of a duty of care by pointing to (amongst other things) the differences between acts and omissions; the breadth of the alleged duty; the fact that inability to access cryptocurrency without a private key was fundamental to the system; and (in the case of the BTC developers) a disclaimer in the software licence under which the code is released.
The court held that there was no tortious duty of care in these circumstances because:
- the claimant relied on the alleged fiduciary duties as the foundation for the special relationship but the developers were not fiduciaries;
- the claimant’s complaint was regarding the defendants’ failure to act following harm caused by a third party and imposing a duty in these circumstances would not be an incremental extension of the law;
- the analogy with the Quincecare duty did not work because that duty exists in different circumstances: where there is a contractual relationship between a bank and its customer, the bank acts as agent of the customer, and the duty is owed only to the customer and not a wider class;
- the duty would be owed to an unknown and potentially unlimited class;
- it would not be fair, just and reasonable to impose a duty with such an open-ended scope (requiring the defendants to investigate any claim that a private key was lost or stolen) and which would expose the defendants to claims from rival claimants to the bitcoin;
- bitcoin owners could take simple steps to protect themselves against loss of private keys (for example, by keeping copies in different locations and possibly by insurance); and
- developers are a fluctuating body of individuals and there was no basis for imposing a duty which would require them to remain involved and make changes when required.
The court also observed that, whilst the disclaimer in the software licence was relevant to the existence of a duty of care, its application to the facts was not sufficiently clear to make a difference in this summary procedure (as opposed to a trial which requires full investigation of the facts).
The claimant also argued that there were important issues of public policy which meant its case was not suitable for summary determination. These issues of public policy included the absence of a rationale for a person to be denied access to assets they own; the fact that (on the claimant’s case) the defendants alone were able to remedy the situation; and, given bitcoin is now widely held, a high standard of accountability should be applied to those in control of the bitcoin networks.
The court acknowledged these issues but did not consider that they could provide a foundation for the existence of a duty that did not have a realistically arguable basis under existing law.
Location of bitcoin
Given the claim failed at the first hurdle, the court did not need to go on to consider the other stages of the permission to serve out test. However, it agreed (obiter) with the claimant that in determining the location of the bitcoin, the test should be the claimant’s place of residence (where central management and control is exercised, ie England) rather than its country of domicile (its place of incorporation, ie Seychelles). It also agreed (obiter) with the claimant that England would have been the appropriate forum for the trial given the claimant’s and its CEO’s presence in the jurisdiction.
Bitcoin developers will have breathed a sigh of relief at the court’s conclusion that they do not owe these broad fiduciary and tortious duties. If the court had agreed with the claimant, these onerous obligations could be a major disincentive to participation in bitcoin software development.
However, the court suggested (obiter) that developers might owe duties to (i) take reasonable care not to harm interests of users when making software changes or (ii) (if they do control the networks) address bugs or other defects that arise in the course of operation of the system and which threaten that operation. Furthermore, the court acknowledged the importance of the public policy issues raised by the claimant and observed that this area could be considered by the Law Commission (in its ongoing project on digital assets) and/or Parliament.
Any further consideration of whether bitcoin developers owe duties to owners would require an investigation into whether such developers actually do control the networks and any constraints on such control (eg if the network refuses to implement an update). Neither of these questions were answered in this case as the court proceeded on the assumption that the claimant would be able to establish the relevant facts.
A final note of caution is that the characteristics of cryptocurrencies can vary widely. Decisions regarding bitcoin might not be applicable to another cryptocurrency where, for example, software developers hold a more central role and owners have an entirely different set of expectations.
The claimant was refused permission to appeal by the High Court on 6 May 2022.