The Court of Appeal has ruled that software developers may owe fiduciary duties to software users. Why does this matter and what is a fiduciary duty?
English case law says that if A acts for, or on behalf of, B in circumstances that give rise to a relationship of trust and confidence, A is B's fiduciary and owes B strict fiduciary duties. Confucius, Plato and Cicero each wrote about the importance of fiducary duties. Time and tech has of course moved on, but might we be about to see their lessons reinforced in our modern digital age....
The Tulip case - what blossomed here?
The English courts were recently asked to consider whether developers of blockchain software owe fiduciary duties to owners of bitcoin using their software. In short, the claimant, Tulip Trading Ltd (Tulip), alleged that:
- it was locked out of its bitcoin account following a hack, in which the private keys needed to access the account were allegedly stolen and deleted; and
- the defendant developers owed fiduciary and tortious duties to Tulip as true owner of the bitcoin which included implementing the necessary software patch to restore Tulip’s access to the bitcoin and safeguard its assets.
Because the developers were located outside the jurisdiction, Tulip had to apply to serve proceedings outside the jurisdiction. The Master allowed the application. The High Court overturned that decision, saying there was no serious issue to be tried because there was no arguable case that the blockchain software developers owed fiduciary duties. But Tulip appealed to the Court of Appeal, which is where this gets interesting!
Court of Appeal decision
The Court of Appeal unanimously said it was in fact arguable that the defendants owe Tulip a fiduciary duty to take reasonable steps to ensure that Tulip has access to and control of its bitcoin. Whether such a duty actually exists is to be determined at trial. It also recognised that imposing such a positive duty on developers to restore stolen bitcoin to their rightful owners would be a significant extension of the common law.
The court also said that any positive duty on developers to introduce code to restore stolen digital assets to their rightful owner would arise only after a decision of a court of competent jurisdiction on the ownership of the property.
- it is at least arguable that developers of a given blockchain network are a sufficiently well-defined group to be capable of being subject to fiduciary duties – the Court disagreed that the developers were too fluctuating a body and also said that the fact that the character of blockchain was decentralised was contested, and so needed to be considered at trial;
- it was arguable that the defendants are fiduciaries because, if you looked at the issues objectively, their role involved making discretionary decisions and exercising power on behalf of other people, where that property is owned by those other people. It was realistic for bitcoin owners to hold a legitimate expectation that developers will use their skills to fix bugs in the software drawn to their attention. The Court also said that it did not matter if amending certain software features was not in the interests of certain other users. Trustees are often required to make decisions which favour the interests of one beneficiary over another.
- such a duty would impose negative duties, which might include a duty not to introduce a feature for the developers’ own advantage that compromised digital asset users’ security. However, it might also include positive duties, such as a duty on developers to act in good faith to use their skills to introduce code to fix bugs which are drawn to their attention or introduce a code so that an owner’s bitcoin could be transferred to safety.
(As an interesting side issue, the Court said that ‘a cryptoasset such as bitcoin is property’. This is consistent with first instance decisions. It also referred to the Law Commission’s recent paper on creating a third category of property to cater for digital assets.)
So why does this matter?
It indicates a potential direction of travel in terms of liability for software more generally. The court's finding that the developers' fiduciary duties could include a duty to introduce a software patch is of huge economic importance.
Both the UK and EU understand that issues arise if manufacturers and developers of software fail properly to support their software by providing timely security updates. The UK has legislated to require manufacturers to comply with minimum cybersecurity obligations, including providing security updates to their products for minimum periods of time, by the Product Security and Telecommunications Infrastructure Act 2022. The EU has proposed the Cyber Resilience Act with obligations to ensure the cybersecurity of products with digital elements during the whole life cycle.
These have focused on cybersecurity, but show that legislators are prepared to impose a statutory requirement on software developers/manufacturers. Issues have also arisen regarding who is liable for faulty software in the context of autonomous vehicles or remote driving and more generally how product liability applies to new technologies and therefore whether software developers should be liable for faults and damage/injury. The Tulip case illustrates that software developers enjoy significant control over the software and there can be significant financial consequences if they fail to do things which give consumers and others remedies.
Although the case is limited to its facts, the Court of Appeal decision raises some issues of wide interest and we will be waiting eagerly to see how the issue is decided at full trial. There could be 'service' related implications for all manner of tech providers, whether developers, data centres, platforms, SaaS providers, managed service providers and more.