News: 1729162950

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Post Office CTO had 'nagging doubts' about Horizon system despite reliability assurances

(2024/10/17)


The former CTO of the Post Office had "nagging doubts" about the Horizon system at the center of one of the most far-reaching miscarriages of justice in UK history, yet he continued to sign off statements to MPs attesting to its security and reliability.

Horizon is an EPOS and back-end finance system for thousands of Post Office branches around the UK, first implemented by ICL, a technology company later bought by Fujitsu. From 1999 until 2015, around 736 subpostmasters and subpostmistresses were wrongfully convicted of fraud when errors in the system were to blame. A [1]statutory inquiry into the mass miscarriage of justice launched in 2021 is ongoing.

During questioning at the Post Office Horizon IT inquiry this week, former IT boss Mike Young agreed it was his responsibility to make sure that what was said to Parliament was absolutely accurate, even though he had no personal contact with MPs about the Horizon system.

[2]

Young agreed he was aware of the "robust stance" on Horizon's reliability and security that the Post Office wanted to communicate to the government department responsible and its minister, Ed Davey, after his meeting with Sir Alan Bates, the subpostmaster who led the Justice For Subpostmasters Alliance (JFSA).

[3]

[4]

Flora Page, the lawyer representing former subpostmasters Lee Castleton and Seema Misra in the inquiry, suggested Young "didn't bother to find out" whether information given to MPs was accurate.

Young said he thought the stance was accurate based on information provided by Fujitsu and his own team.

[5]

However, in 2011, as "heat" from the media, campaigners, and MPs built, he said he started to have doubts.

"At the point that you've got more and more subpostmasters… it grew… the JFSA, saying the system was wrong. If you didn't have that nagging doubt, you've got a bit of a problem. It acts almost as a conscience check. What I said and maintained [was] I saw nothing in the Horizon system beyond what was in rollout, and then some of the change activities and the hardware failures that suggested Horizon was doing anything but what it was prescribed to do, and it certainly was within its SLAs, and where there were failings, they were highlighted."

Young said his opinion changed as evidence emerged in the [6]Second Sight report [PDF], commissioned in 2012 to investigate problems with Horizon. The report identified system issues that caused account imbalances, and said the Post Office was focused on recovering the money and prosecuting subpostmasters rather than finding the cause of the problem.

[7]Post Office seeks more Horizon support as it continues hunt for replacement

[8]Post Office CEO tells inquiry: Leadership was in 'dream world' over Horizon scandal

[9]UK Lords push bill to tame rogue algorithms in public sector

[10]Inquiry hears UK government misled MPs over Post Office IT scandal

A second report in 2015 said the system could produce errors due to faulty or outdated equipment, communication errors, and lack of security.

As of 2011, Young told the inquiry this week, he became worried about issues around who could access and change account data in the system.

[11]

"I've no doubt about that because I thought that might be better policed, but it was addressed in a relatively short timescale," he said. "It's only with the hindsight of this inquiry and some of what I've learnt from the Second Sight Report that I now know, through that benefit, that some of the audit logging… wasn't as locked down as best practice would indicate and it was open to abuse."

However, Page maintained that in 2011 senior managers who were sending responses to the media attesting to the robustness and security in the Horizon system were the same people who had received [12]a December 2010 email from Lynn Hobbs , the organization's general manager of network support, saying she had discovered that Fujitsu could put an entry into a branch account remotely.

Young responded: "We have to be careful about how we use our language. A backdoor is, for me, as for most people in tech… well, then there was no backdoor as far as I was concerned at this point."

The inquiry continues. ®

Get our [13]Tech Resources



[1] https://www.theregister.com/2024/07/29/post_office_horizon_inquiry/

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZxE0okx1tDYrMVKhYc6zvAAAAQI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZxE0okx1tDYrMVKhYc6zvAAAAQI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZxE0okx1tDYrMVKhYc6zvAAAAQI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZxE0okx1tDYrMVKhYc6zvAAAAQI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://www.jfsa.org.uk/uploads/5/4/3/1/54312921/pol_interim_report_signed.pdf

[7] https://www.theregister.com/2024/10/15/post_office_horizon_dc_support/

[8] https://www.theregister.com/2024/10/10/post_office_ceo_inquiry/

[9] https://www.theregister.com/2024/09/10/uk_lords_algorithms_bill/

[10] https://www.theregister.com/2024/07/29/post_office_horizon_inquiry/

[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZxE0okx1tDYrMVKhYc6zvAAAAQI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[12] https://postofficeinquiry.dracos.co.uk/phases-5-6/2024-04-25/

[13] https://whitepapers.theregister.com/



I could empathise....

Guy de Loimbard

But I'm not going to.

People were jailed, wrongly, people had reputations and lives destroyed, some are sadly no longer with us due to this crusade against them.

Protecting a brand, when it was known to be flawed, then going on to prosecute people to this extent is morally reprehensible and legally shocking!

Post Office need to have all of the BS "rights" to prosecute removed, if that hasn't happened already.

Re: I could empathise....

Ol'Peculier

Fully agree.

Incidentally, the Royal Mail is believed to be the first organisation to carry out investigations and prosecutors in the world.

Not that been first is best...

Re: I could empathise....

NoneSuch

When people stop speaking truth to power for fear of retribution, that is no longer a democracy.

Re: I could empathise....

Eclectic Man

The issue is not that he received assurances from his senior team and Fujitsu, but that he did not check the basis on which those assurances were made. he did not ask for an independent technical security assessment report, or even an audit to ISO27001 by a competent independent team. He just relied on what he was told without questioning it too hard. That is what some people would call 'sloping shoulders', I call it abrogation of responsibility.

Re: I could empathise....

Doctor Syntax

I call it fear.

Why always 'someone else'

tmTM

A recurring theme people use in their defence is that 'someone else' told them the system was fine and that was that.

Who are these 'someone else'?? Why did even the head of IT have 'someone else' telling him everything was hunky dory?

Sooner or later names will have to be named, if it's not the head of IT then who was it?

Re: Why always 'someone else'

Yet Another Anonymous coward

His job was not to know anything, that's why he was paid so much.

Re: Why always 'someone else'

R Soul

At least none of these lying, malevolent, incompetent bastards has resorted to the Nuremberg defence - "I was only obeying orders", Well, not yet.

Re: Why always 'someone else'

Doctor Syntax

This is the new version "I was going on what I'd been told." It should carry as much weight when you're in a position where you can demand the truth.

If there's no audit log how can there be prosecutions?

andy 103

Genuine question.

My understanding of this case is that in simple terms Fujitsu had access to remote systems and were able to edit transaction data. They did this to make it appear as though bugs were either resolved or had never occurred in the first place. However they did this without any real form of audit logging (for dubious reasons) or understanding/caring about the ramifications of doing this in a financial application.

Naturally anyone who is now being "accused" is simply pointing the finger elsewhere.

Realistically how is anyone going to get definitive answers on a case like this when identifying and tracing the source of every bodged transaction is effectively impossible?

I'm not for one moment saying any of this is alright but I also don't see how anyone expects to get all the relevant information to prosecute the appropriate people.

Re: If there's no audit log how can there be prosecutions?

Doctor Syntax

They've put themselves in a position where they can't - or shouldn't be able to - convict even a genuine case without completely independent proof.

Re: If there's no audit log how can there be prosecutions?

adam 40

There was no audit logging.

No any form of double-entry by the looks of it.

I've only worked in accounting software once, and when I said "we have two ways of tracking transactions" shall I get rid of one, the accountant in the team said "no! great, keep them both, we can use them to counter-check against each other". A principle that seems lost in Horizon (probably, to this day. Which lays it open to fraud.).

Those Post Office workers never stood a chance

Anonymous Coward

Everything was rotten back at HQ and Fujitsu.

Bastards.

Doctor Syntax

If he had nagging doubts he was the best placed person to satisfy them yet he didn't. In his position plausible deniability isn't. There were obviously too many who didn't want to start turning over stones for fear of what might lie beneath.

...and it was open to abuse.

Neil Barnes

So who abused it? It doesn't appear to have been the poor bloody postmasters.

Re: ...and it was open to abuse.

BobChip

Lots of money (LOTS and LOTS of money) is still missing. Since it is now obvious that it was not the Postmasters who were stealing it, where did it go, how, and where is it now? Those who had access to the system and could "adjust" it at will, look to me to be the primary suspects. Whether within Fujitsu or even the Post Office itself? And who is now looking into this? Obviously can't let either the Post Office or Fujitsu anywhere near to running the investigation themselves. This story has only just begun......

Re: ...and it was open to abuse.

katrinab

The “missing” money never existed.

Post office terminal sent a sales transaction to head office. Head office sent an ack packet back. Ack packet didn’t arrive at the terminal. Terminal retransmitted the transaction. Head office logged it as a second sale.

Re: ...and it was open to abuse.

Sam not the Viking

As far as I am aware, none of these convicted postmasters have been found with the ill-gotten-gains, which would, of course, be recoverable if they existed.

Those who were 'forced' to pay back 'lost money' were contributing to the PO bosses bonuses.

It now appears that it was 'somebody else's fault'. They've been coached by their legal team who have no incentive to get matters concluded.

Re: ...and it was open to abuse.

adam 40

An audit should have shown up phantom "profits"

So this sad tale of abject failure of leadership continues

Pascal Monett

You're CTO with nagging doubts, but you don't do anything about it ?

Of what use were you, exactly ?

Oh, right : signing off reports saying that everything was fine.

So, corrupt to the bone, eh ? And now you're pretending to have a conscience ?

A bit late for that.

Roll out new point of sale system, get petty crime wave?

OllieJones

Didn’t anybody wonder about the scope of this supposed crime wave? Seven hundred some-odd independent and disorganized small business people embezzling from the Royal Mail? Only in some dystopian sci-fi film.

Sure, one or two, or even ten might try that. But, not one judge, or detective, or silk-wearing barrister or auditor stopped to think and to ask the obvious questions when the number of accused started climbing into the hundreds? Impossible to believe. There is an untold story somewhere in this mess about a suppressed whistleblower.

Re: Roll out new point of sale system, get petty crime wave?

Spazturtle

The Post Office had long viewed Sub-Postmasters as outsiders who were all thieving bastards, they just never had any proof. Horizon comes online and confirms their already existing bias, instead of being surprised at the number of 'thieves' they were instead impressed by how well it was catching them.

Re: Roll out new point of sale system, get petty crime wave?

Lee D

To be fair, implementing a more robust accounting system could EASILY generate that kind of response, things that were totally missed before because there was no way to check them, but which flag up immediately in a newer system.

And judges are not there to do the research for you, they judge the case in front of them based solely on the evidence in front of them. Anything else is dangerous. It would be for the lawyers (especially defence) to say "There have been X hundred court cases in recent years because of the Horizon system, which is far in excess of the previous system, can you account for that? Is it not possible that my client is one of many being unjustly accused?"

Fact is, many of the people that went to court PLEADED GUILTY because they were advised to do so. In that instance, neither the lawyers or judges have much to do beyond dotting the i's and crossing the t's. It's why you never plead guilty to something that you know you didn't do. You've basically said "Yes, I did that, exactly as described." and there's no way back short of a pardon or major scandal.

But a new accounting system suddenly detecting 100's of cases of potential fraud over 16 years (so barely 50 cases a year), out of about 7000 subpostmasters, their other employees, etc.? Yeah, it's significant but it's not implausible. Especially when some of those pleaded guilty and in the process even accepted the evidence from Horizon was accurate.

If you were to suddenly implement "insider trading laws" on 7000 stockbrokers and their employees and departments, I would bet that you'd find more than 100 cases a year.

The real problem is the Post Office's rather unique ability to act on its own: "when an organisation is allowed to act as a prosecutor when it is also the victim and the investigator of an alleged offence".

i.e. crusty old laws with no modern need for them and people able to run amok and avoid oversight.

If they'd had to push their case through the normal entities (such as they had to do in Scotland and Northern Ireland), the number of instances would have been less but still might have flagged something in people's brains along the way.

never plead guilty to something that you know you didn't do.

Anonymous Coward

Easier said than done. Especially in this scandal.

The accused subpostmasters were royally fucked over in so many ways. The Post Office knowingly withheld evidence that would have proved innocence or at least raised sufficient reasonable doubt if cases went to court. The PO anf Fushitsu were also perjuring themselves by claiming Horizon was infallible even when they knew it wasn't. The PO intimidated their victims: threatening to spend gazillions on prosecutions => the accused couldn't possibly hope to afford the resources of mounting a matching defence. This meant the logical but wrong choice for many victims was to cop a plea for a lesser charge to avoid bankruptcy, homelessness and jail time even though they were innocent.

What would any rational person do in these circumstances?

Re: Roll out new point of sale system, get petty crime wave?

katrinab

Private Eye was asking those questions > 20 years ago. I believe Computer Weekly was too, though I never read that publication.

Chief Operations Officer

Anonymous Coward

According to his witness statement, his job titles were "Operations Director", "Chief Technology and Operations Services Director" or "Chief Operations Officer". Never CTO. See pdf at:

https://www.postofficehorizoninquiry.org.uk/evidence/witn11130100-mike-young-witness-statement

The statement gives a summary of what he claims his different roles involved.

It also notes he is a former soldier in the British Army, and a former policeman (rank of Detective Sergeant).

Anonymous Coward

It's been interesting to hear the evidence and cross-examinations about remote access. It seems to me that there has been obfuscation. IMHO remote access is pretty much an intrinsic requirement for IT Systems and should not come as a surprise. The key issue is whether the remote access is used to alter the ledger and whether or not the audit log can be bypassed. Double-entry book keeping has been around for hundreds of years and no doubt there will be endless case law surrounding security of the ledger and how corrections are handled. To my way of thinking common sense would apply - any adjustments would have to be logged and signed-off by the business owner, not least to protect whoever is applying those adjustments. What were they thinking?

katrinab

Generally speaking, you should never be able to change an entry. You would add a new entry saying that a previous entry should be reversed.

Double entry bookkeeping

ChrisElvidge

As I understood it, double entry bookkeeping consisted of having two ledgers, each of which was updated individually. Reconciliation was then done between the two ledgers. If they didn't match there was a problem. Modern systems seem to accept an update to the first ledger and then apply that to the second ledger - or am I really, really wrong?

Zippy´s Sausage Factory

So in short, his testimony was "well, I was pressured to lie, so I did, even though I thought maybe I shouldn't have, but it's OK because I can blame someone else for it"

Did I get that right?

Outdated

elsergiovolador

How can outdated equipment "mess up" with numbers this way?

Makes no sense.

Sure, bad memory, occasional bit flips can happen, but what a coincidence these would happen there.

Did they all get lobotomy and don't know about it?

Re: Outdated

Spazturtle

One of the big ones was lottery tickets, those sales were handled with a different machine which was connected to the Horizon POS. The connection would keep dropping and cause the messages to get re-sent, but Horizon would count them as multiple sales even though they had the same sale number.

Re: Outdated

elsergiovolador

So that's a software error, nothing to do with outdated equipment. You always have to account for dropped connections, double spend etc. these are the basics.

To borrow a meme

Arthur the cat

Jail for CTO! Jail for one thousand years!

Re: To borrow a meme

heyrick

They manipulated people to the point where the innocent had no choice other than to confess to a crime they didn't commit rather than risk losing absolutely everything.

They manipulated people to the point where some of those who weren't happy admitting to something they didn't do decided instead to cease existing.

They withheld information that may well have demonstrated the innocence of the accused; this is where it gets really nasty - they knew something was amiss and decided to carry on screwing people over anyway .

The whole bloody board/directors/the lot should be behind bars - and for a good long time, none of this "we'll let you out in three months if you promise to be good" shit. If everybody blames everybody else, great, means they're all guilty. Don't wait for the first domino to fall, push.

And the laws need changed to ensure that this sort of abuse of power doesn't happen again.

Criminality.

Wang Cores

Knowing how they buried these people under suspicion and allegation, knowing they were innocent, knowing they couldn't fight back and knowing that the prosecutions were driving people into despair such that suicide became an option and the craveness to allow it to go on is beyond the measure of any human metric of criminal culpability. This is murder by system.

I'd bring back writs of outlawry for everyone involved. As they so denied innocents the protections of law or even common decency - let's see how iron-jawed they are when someone toys with their existence in the same arbitrary manner.

Norbert Weiner was the subject of many dotty professor stories. Weiner was,
in fact, very absent minded. The following story is told about him: when they
moved from Cambridge to Newton his wife, knowing that he would be absolutely
useless on the move, packed him off to MIT while she directed the move. Since
she was certain that he would forget that they had moved and where they had
moved to, she wrote down the new address on a piece of paper, and gave it to
him. Naturally, in the course of the day, an insight occurred to him. He
reached in his pocket, found a piece of paper on which he furiously scribbled
some notes, thought it over, decided there was a fallacy in his idea, and
threw the piece of paper away. At the end of the day he went home (to the old
address in Cambridge, of course). When he got there he realized that they had
moved, that he had no idea where they had moved to, and that the piece of
paper with the address was long gone. Fortunately inspiration struck. There
was a young girl on the street and he conceived the idea of asking her where
he had moved to, saying, "Excuse me, perhaps you know me. I'm Norbert Weiner
and we've just moved. Would you know where we've moved to?" To which the
young girl replied, "Yes, Daddy, Mommy thought you would forget."
The capper to the story is that I asked his daughter (the girl in the
story) about the truth of the story, many years later. She said that it
wasn't quite true -- that he never forgot who his children were! The rest of
it, however, was pretty close to what actually happened...
-- Richard Harter