Table of Contents Hide
Do the developers of Bitcoin code owe fiduciary duties to an owner of that cryptocurrency to help the owner retrieve lost or inaccessible bitcoin after the owner’s private key has been hacked? They might ruled the U.K. Court of Appeal in Tulip Trading Limited v Bitcoin Association For BSV & Ors  EWCA Civ 83 (03 February 2023), a decision that overturned a lower court judge who ruled there was no basis to obtain such relief.
While the decision of the Court of Appeal provides Tulip, the owner who allegedly lost $4 billion in bitcoin, with a potential remedy, what is surprising is that Tulip relied principally on direct causes of action against the developers, being fiduciary duty and a duty of care in tort. There was no claim for a proprietary remedy or injunctive relief ancillary to any claims against the hackers of the Tulip account. While perhaps also novel claims, for the $4 billion dollars that were at stake, this seems like a missed opportunity to obtain the much needed relief Tulip was seeking.
Factual contentions related to Fiduciary duty of Bitcoin developers
The issue in the case arose in this way. Tulip Trading Limited, a company associated with Dr Craig Wright, claims to be the owner of bitcoin with a value of about USD $4 billion. The bitcoin was held at two addresses on the blockchain called 1Feex and 12ib7. However, the private keys were lost in a hack, and likely stolen. Without its private keys Tulip could not access its assets or move them to safety.
Tulip contended that the developers named as defendants control and run the BSV, BTC, BCH and BCH Bitcoin networks. Tulip also alleged that it would be a simple matter for the developers to secure Tulip’s assets, e.g. by moving them to another address which Tulip could control.
Tulip’s alleged that the bitcoin in its accounts may not have been moved because the hackers could not crack the encryption which protected the private keys. Tulip maintained that it is not technically difficult for a patch to the computer code that operates the four Bitcoin networks in issue to be developed which would have the effect of transferring the digital assets to which access had been lost to a new address. That new address would have a (new) private key, which Tulip could then use to regain access to its digital assets, and a public key. Tulip claimed alternatively that the patch the developers could provide could ensure that Tulip regains control of the assets in their existing locations, which likely would involve allocating replacement private keys to the existing addresses. In either case, Tulip asked for an order for the developers to implement a patch which would resolve Tulips’s problem.
The defendants challenged this description of the developers’ position portraying (particularly in the case of the BTC developers) a decentralised model in which, to the extent that they are or continue to be involved in software development for the relevant Bitcoin networks, they are part of a very large, and shifting, group of contributors without an organisation or structure. Also, they asserted that any change that they were able to propose to address Tulip’s complaint would be ineffective because miners would refuse to run it and instead would continue to run earlier versions of the software. Further, they said, what was sought went against the core values of Bitcoin as a concept.
All of this was disputed by Tulip and the Court of Appeal did not purport to resolve these issues on the motion.
Assessment of Fiduciary duty of Bitcoin developers
Tulip’s legal theory was premised on a novel argument. It was that the role the developers have undertaken in relation to Tulip’s property (it was acknowledged that the bitcoin was “property”) and the power this role gives them, meant that the developers should be recognised as a new ad hoc class of fiduciary, owing fiduciary duties to the true owners of bitcoin, including in this case Tulip as true owner of the bitcoin at 1Feex and 12ib7. Further, the fiduciary duties owed should extend to implementing a necessary software patch to solve Tulip’s problem and safeguard Tulip’s assets from the thieves. Tulip’s case was supported by at least one academic paper, In Code(rs) we trust: Software Developers as Fiduciaries in Public Blockchains. Nevertheless there is also academic literature supporting the contrary view, i.e. Blockchain Development and Fiduciary Duty.
The developers denied they owed fiduciary or any other duties to Tulip. They contended that they have nothing like the power or control Tulip alleged and that duties of the kind Tulip contend for would be highly onerous and unworkable.
To decide whether a serious issue to be tried existed, the Court of Appeal canvassed in detail the law related to fiduciary duties.
The Court noted that the issues in the case “are new and quite a long way from factual circumstances which the courts have had to examine before in the context of fiduciary duties”. Yet, as it also noted, the “categories in which fiduciary relationships can be identified are not closed” and that “the common law often works incrementally and by analogy with existing cases, and rightly so; but if the facts change in a way which is more than incremental I do not believe the right response of the common law is simply to stop and say that incremental development cannot reach that far”.
The Court also highlighted the unusual features of the case in which the control Bitcoin developers allegedly had over the development of the Bitcoin code.
The unusual factual feature of the present case is that literally all there is, is software. A physical coin has properties which exist outside the minds of people who use it and in that sense is tangible. Bitcoin is similar. It also has properties which exist outside the minds of individuals, but those properties only exist inside computers as a consequence of the bitcoin software. There is nothing else. And crucially, asserts Tulip, it is the developers who control this software. On Tulip’s case that control is very significant. In a bank the software developers as individuals will be tasked with maintaining the source code for the bank’s accounts and payment systems, but they are subject to ultimate control by the board (and subject to regulation). The bank’s developers have nothing like the control over the customer’s assets which Tulip alleges the bitcoin developers have over bitcoin. These allegations are heavily contested by the developers in this case, who advance their case on decentralisation, but that cannot be resolved on this application or appeal.
Lord Justice Birss, writing for a unanimous court, summarized the reasons for finding that there was a serious issue to be tried that the developers of Bitcoin code had a fiduciary duty to holders of bitcoin like Tulip whose accounts had been hacked but whose assets could be restored to them by some changes to the Bitcoin codebase.
Pulling all this together, I recognise that for Tulip’s case to succeed would involve a significant development of the common law on fiduciary duties. I do not pretend that every step along the way is simple or easy. However there is, it seems to me, a realistic argument along the following lines. The developers of a given network are a sufficiently well defined group to be capable of being subject to fiduciary duties. Viewed objectively the developers have undertaken a role which involves making discretionary decisions and exercising power for and on behalf of other people, in relation to property owned by those other people. That property has been entrusted into the care of the developers. The developers therefore are fiduciaries. The essence of that duty is single minded loyalty to the users of bitcoin software. The content of the duties includes a duty not to act in their own self interest and also involves a duty to act in positive ways in certain circumstances. It may also, realistically, include a duty to act to introduce code so that an owner’s bitcoin can be transferred to safety in the circumstances alleged by Tulip…
The Court’s conclusion was expressed as follows:
I would allow this appeal. The conclusion is not that there is a fiduciary duty in law in the circumstances alleged by Tulip, only that the case advanced raises a serious issue to be tried. The time to decide on the duty in this case is once the facts are established. As the judgment itself showed, to rule out Tulip’s case as unarguable would require one to assume facts in the defendant developers’ favour which are disputed and which cannot be resolved this way. If the decentralised governance of bitcoin really is a myth, then in my judgment there is much to be said for the submission that bitcoin developers, while acting as developers, owe fiduciary duties to the true owners of that property.
Comments on Tulip case and missed opportunity
There are multiple cases in Canada in which fiduciary relationships have been established. The closest case in Canada to the Tulip case is Pandi v. Fieldsofwebs.com Ltd., 2007 CarswellOnt 4389 (Ont. S.C.) In the Pandi, a customer of a website host argued that the host owed and breached a fiduciary duty to the plaintiffs. The Court rejected the argument noting that software developers of website hosts do not fall with any of the traditionally recognized categories of relationships considered in law to create fiduciary obligations. It rejected the argument that the hosts’ technical expertise and capabilities including its ability to get access to confidential information in the databases it hosts casted the relationship between the customer and the host as one in which a fiduciary relationship exists. According to the Court:
I am not able to accept that argument as it confuses physical with legal vulnerability and fails to distinguish between a lawful power to exercise a discretion, which is the nature of the power referred to in Frame v. Smith and in Lac Minerals Ltd. v. International Corona Resources Ltd., 1989 CanLII 34 (SCC),  2 S.C. R. 574, and a clandestine unauthorized access which is the nature of the alleged conduct. The economic vulnerability of a person in the position of the plaintiff whose website is in the technical hands of the internet host may very well give rise to a duty of care on the part of the host (which is not in issue here), but in the case at bar, there is no evidence of any discretion having been reposed in the defendants in relation to the database or to the website generally. There is no evidence that the defendants were vested with any authority to do anything with the data, whether to examine, manipulate, revise or draw reports from it, other than on the request and instructions of the plaintiff. There is no evidence of a power to exercise any discretion over either the plaintiff’s business or its database. In such circumstances I am not able to say that a strong prima facie case has been shown that the defendants or any of them were fiduciaries of the plaintiffs, and, a fortiori, that there had been a breach of duty.
The facts in Pandi, however, are much different from those in Tulip.
What is surprising about the Tulip case is that Tulip relied principally on directly causes of action against the developers, being fiduciary duty and a duty of care in tort, the latter claim of which was also found by the judge of first instance to be not viable. There was no claim for a proprietary remedy or for injunctive relief ancillary to any claims against the hackers of the Tulip account. Specifically as for the latter remedy, as far as I know, what Tulip did not do was to sue the alleged hackers, obtain an interlocutory or mandatory injunction to compel the hackers to return the private keys to Tulip, and to seek ancillary injunctive relief against the defendants including to assist in enforcing the order of the court.
While perhaps novel requests to a court, injunctions are equitable remedies and the powers of courts to grant injunctions are, subject to any relevant statutory restrictions, unlimited. The injunction remedy is a flexible one, is not restricted to any area of substantive law, and is readily enforceable through the court’s contempt power.
Courts have long issued orders to non-parties where their assistance was required to do justice. The foundation of all of these orders is the ancient rule that the court has inherent jurisdiction to maintain the rule of law and to control its own process. This principle is now enshrined in the laws of most countries including the U.K. where courts can grant injunctive relief in all cases in which it appears to the court to be just or convenient that the order should be made.
Non-parties are also regularly made subject to injunctive orders issued to enable parties to enforce orders against non-parties. Three well known examples of orders made against non-parties – in the absence of a cause of action against them – are the Mareva injunction, Bankers Trust, and Norwich Pharmacal orders. The latter two remedies can be invoked to trace property (including crypto assets) wrongfully in the hands of innocent third parties. Each of these orders has certain criteria that must be satisfied for the orders to issue. For example, for Norwich orders the non-party must unwittingly become “mixed up in wrongdoing”. In such cases, the non-party comes under a duty to assist the person who has been wronged by giving him full information and disclosing the identity of the wrongdoers as “justice requires that he should co-operate in righting the wrong if he unwittingly facilitated its perpetration”.
The courts have continued to expand the circumstances in which orders are made against “innocent” third parties. For example, in the U.K. Cartier case, Arnold J., issued an order requiring ISPs to block pirate sites that were infringing trade-marks of the plaintiff. In making the order the court recognized the breadth of the court’s equitable jurisdiction to make orders against innocent parties. Justice Arnold drew an analogy to “the equitable protective duty” described by Buckley LJ in the U.K. Court of Appeal in Norwich Pharmacal that
“… If a man has in his possession or control goods the dissemination of … will infringe another’s patent or trade mark, he becomes, as soon as he is aware of this fact, subject to a duty, an equitable duty, not to allow those goods to pass out of his possession or control at any rate in circumstances in which the proprietor of the patent or mark might be injured by infringement ensuing…. This duty is one which will, if necessary, be enforced in equity by way of injunction: see Upmann v. Elkan, L.R. 12 Eq. 140; 7 Ch.App 130.”
The Court of Appeal in affirming the decision of Arnold J., in Cartier noted that this principle was not directly applicable in that case, but that “it was not a long step from this to conclude that, once an ISP became aware that its services were being used by third parties to infringe an intellectual property right, it became subject to a duty to take proportionate measures to prevent or reduce such infringements even though it was not itself liable for them”.
There was an appeal in Cartier to the U.K. Supreme Court on the issue of costs. In the course of giving reasons the Supreme Court reviewed the history of the jurisdiction of the courts to make orders against non-parties ancillary to proceedings against the wrongdoer at law. It noted that the jurisdiction had originated in bills of discovery. The Court then went on to summarize the major departure in the law which led to Norwich orders, the equitable protective jurisdiction, and to the general power of the courts to vindicate the rights of the plaintiff. According to the Court, “[t]he true basis of the court’s intervention is that once the intermediary has been given notice of the infringement of the plaintiff’s rights, his duty is to stop placing his facilities at the disposal of the wrongdoer.” Put another way “the duty is said to lie rather on the court to make an order necessary to the administration of justice than on the respondent to satisfy some right existing in the plaintiff”.
After providing this history, the UKSC expressed the opinion that the website blocking order issued by the lower court was correct in principle and fell into the “category of order which a court may make against a third party to prevent the use of his facilities to commit or facilitate a wrong”. The UKSC also confirmed that the order was made “on ordinary principles of equity”.
Courts in Canada have followed these authorities. In the Equustek case, the Canadian Supreme Court issued a worldwide de-indexing order against Google to facilitate the enforcement of an interlocutory injunction in a trade secret case. In the GoldTV case the Federal Court of Appeal issued the first, in what has become a series of Canadian cases, in which website blocking orders were made in copyright infringement proceedings. In Warner Bros. Entertainment Inc. v. White (Beast IPTV), a copyright anti-piracy case, a court issued broad injunctive relief which included, among other things, the transfer of control of the infrastructure of the alleged infringer to independent supervising solicitors. In Bell Media Inc. v. Macciacchera (Smoothstreams.tv), 2022 FC, a court ordered domain name registrars, hosts and payment processors to comply with terms that permitted supervising solicitors to take control of and transfer accounts from the defendants.
The jurisdiction to make ancillary injunctive orders against non-parties is not, of course, limited to intellectual property disputes. For example, in the U.K. case, Mosley v Google Inc & Anor  EWHC 59 (QB) (15 January 2015) a court recognized that a right to get a blocking order against a search engine in a privacy dispute might be available under the UK Data Protection Act 1998. (The case is summarised in the blog post, Barry Sookman, Internet justice: Mosley v Google.) In PJS v News Group Newspapers Ltd  UKSC 26 (19 May 2016), the U.K Supreme Court noted in another privacy case the appropriateness of search engines geo-blocking U.K. IP addresses to prevent the access from the U.K. to foreign sites that published articles which were enjoined in the U.K.. (The case is summarized in the blog post, Barry Sookman, Privacy injunctions in the age of the Internet and social media: PJS v News Group Newspapers.)
These types of ancillary orders can oblige a non-party to do, or refrain from doing, specified actions in a foreign country. Though they may have extraterritorial effects, they do not assert extraterritorial jurisdiction. However, the courts issue them recognizing the need to carefully tailor them but to make them effective.
As for the Tulip case, we will have to wait and see whether the common law will adapt to the realities of the 21st century and recognize a broader class of fiduciary duty or other remedies for these types of situations.
The common law has evolved to give persons whose crypto assets have been hacked ways to trace those assets including with Bankers Trust and Mareva injunctions. Tulip did not argue that these recognized proprietary remedies could be invoked against persons that directly or indirectly technically control the means of accessing property – bitcoin – relying only on the law related to fiduciaries and certain torts. There certainly would be a gap if a person’s property was, in essence, “possessed” by a hacker and the court declined to fashion a proprietary remedy to enable the person’s assets to be restored to the rightful owner.
But, there was a further remedy that Tulip did not pursue. Tulip has not yet (as far as I know) taken the path of seeking a remedy by invoking the court’s equitable protective jurisdiction to fashion a remedy in a proceeding against the hackers. To be successful, Tulip might need the court to incrementally expand or expound upon the category of actor that can be made subject to an order. It may need to argue, for example, that Bitcoin developers are sufficiently “mixed up” in the wrong, or their “facilities” or “services” are being used to perpetrate a wrong, or that they are in “possession” of goods or property (bitcoin), so as to make them potentially subject to an equitable ancillary order. If a court finds there is jurisdiction to make an order, it will next need to determine whether to make the order which will involve a number of factors, one of which may be the costs and difficulties of complying with the order. Tulip may need to address whether and the extent to which the court’s equitable protective jurisdiction may be limited by the common law’s general approach, as summarized by the Judge in first instance, that positive duties in tort to assist another are the exception rather than the rule.
Invoking the court’s equitable jurisdiction to grant a proprietary or ancillary injunctive relief here would be a novel application of the law. But for $4 billion, one would think they both would have been worth a try.
 Ian Spry, The Principles of Equitable Remedies (9th ed. 2014), at p. 333, Robert Sharpe, Injunctions and Specific Performance (loose-leaf ed.), at para. 2.10.
 In Canada, see, MacMillan Bloedel v. Simpson,  2 S.C.R. 1048; R. v. Cunningham, 2010 SCC 10.
 See, Barry Sookman, Blockchain vulnerabilities – crypto hacks, blockchain forensics and legal challenges, International Journal of Blockchain law, Vol. 2 March 2022 P.25, updated from the original blog post published on barrysookman.com. .
 Norwich Pharmacal Co v Customs and Excise Commissioners,  A.C. 133
 The Court summarized the history as follows:
A more significant departure occurred with the decision of Lord Romilly MR in Upmann v Elkan (1871) LR 12 Eq 140. This decision marked the point at which the power to order a party to assist the plaintiff against a wrongdoer acquired a life of its own, independent of its origins in the bill of discovery. The facts were that the defendant freight forwarding agent was innocently in possession of consignments of counterfeit cigars in transit to Germany through a London dock. The action was not for discovery, but for an order restraining the forwarder from releasing the goods and an account of damages, on the footing that he had himself infringed the mark. The forwarder volunteered the names of the consignors and agreed to submit to whatever order the court should make. That left only the question of the costs of the action. Lord Romilly MR accepted that the forwarder was not an infringer, but thought that he would have been if after being told of the infringement he had not performed his duty. His duty in Lord Romilly’s view (p 145) was “at once to give all the information required, and to undertake that the goods shall not be removed or dealt with until the spurious brand has been removed, and to offer to give all facilities to the person injured for that purpose.” The decision was affirmed on appeal by Lord Hatherley LC: (1871) LR 7 Ch App 130.
A century later, Lord Romilly’s judgment was the main basis in authority for the seminal decision of the House of Lords in Norwich Pharmacal Co v Customs and Excise Comrs  AC 133. Norwich Pharmacal was an action against the Customs and Excise for an order that they disclose the identity of those who, by importing drugs the subject of the plaintiff’s patent, had infringed it. The Customs and Excise, although they were not themselves infringers or in any other way culpable, had control over the goods at the point of importation. They were therefore unwittingly involved in the infringement although not party to it. The House of Lords held that disclosure should be ordered. The mere fact that the Commissioners possessed the relevant information was not enough to justify this result. The decisive factor was that they had themselves facilitated the tort, albeit innocently. Lord Reid stated the principle as follows at p 175B-C:
“… if through no fault of his own a person gets mixed up in the tortious acts of others so as to facilitate their wrong-doing he may incur no personal liability but he comes under a duty to assist the person who has been wronged by giving him full information and disclosing the identity of the wrongdoers. I do not think that it matters whether he became so mixed up by voluntary action on his part or because it was his duty to do what he did. It may be that if this causes him expense the person seeking the information ought to reimburse him. But justice requires that he should co-operate in righting the wrong if he unwittingly facilitated its perpetration.”
The Norwich Pharmacal jurisdiction is commonly exercised for the purpose of assisting the claimant to bring or maintain proceedings against the wrongdoers, generally by providing information. But it is not limited to cases where proceedings against the wrongdoers are anticipated, or indeed to the provision of information. As Lord Fraser observed in British Steel Corpn v Granada Television Ltd  AC 1096, 1200C-G, the injunction “is sought for the vindication of BSC’s rights, and I do not think it matters whether separate proceedings are required for that purpose or not.” This was confirmed by the House of Lords in Ashworth Hospital Authority v MGN Ltd  1 WLR 2033, para 3, and by the Supreme Court in Rugby Football Union v Consolidated Information Services Ltd (formerly Viagogo Ltd)  1 WLR 3333, para 15. The true basis of the court’s intervention is that once the intermediary has been given notice of the infringement of the plaintiff’s rights, his duty is to stop placing his facilities at the disposal of the wrongdoer. This is why it is critical that the intermediary should have been “mixed up in the tortious acts of others”. As it happened, the Commissioners of Customs and Excise were “mixed up” in the importation pursuant to a statutory duty. They could not therefore be required to do more than provide information so as to allow direct proceedings against the infringers to stop the importation. But an intermediary who was free to terminate his involvement in the infringing trade, like the freight forwarder in Upmann v Elkan, could have been required to do so.
I suggested in Singularis Holdings Ltd v PricewaterhouseCoopers  AC 1675, para 22, that the duty to assist identified by Lord Reid was not a legal duty in the ordinary sense of the term. As Lord Reid himself put it in Norwich Pharmacal, the intermediary came under the duty without incurring personal liability. This is really only another way of saying that the court had an equitable jurisdiction to intervene. Lord Kilbrandon put the point very clearly in his own speech. Citing the South African decision in Colonial Government v Tatham (1902) 23 Natal LR 153, 158, he said that “the duty is said to lie rather on the court to make an order necessary to the administration of justice than on the respondent to satisfy some right existing in the plaintiff” (p 205D-E)….
 Fourie v. Le Roux  UKHL 1; National Australia Bank v. Dessau,  VicRp 58 (S.C.); R Griggs Group Ltd v Evans (No 2)  EWHC 1088 (Ch); Pavlovich v. Superior Court, 109 Cal. Rptr. 2d 909 (Cal. App. Ct., 2001); Google Spain v. González (case no. C-131/12) (examining jurisdictional basis for requiring Google to deindex search results).
 See, Barry Sookman, Blockchain vulnerabilities – crypto hacks, blockchain forensics and legal challenges, International Journal of Blockchain law, Vol. 2 March 2022 P.25, updated from the original blog post published on barrysookman.com. .
 See, Redland Bricks Ltd. v. Morris,  A.C. 652 (H.L.) “So the amount to be expended under a mandatory order by the defendant must be balanced with these considerations in mind against the anticipated possible damage to the plaintiff and if, on such balance, it seems unreasonable to inflict such expenditure upon one who for this purpose is no more than a potential wrongdoer then the court must exercise its jurisdiction accordingly.”
 In Canada, see Childs v. Desormeaux, 2006 SCC 18; R v. Imperial Tobacco Canada Ltd.,  3 S.C.R. 45.