Yeah that's what I don't get about this from the start. Accounting software is not a source of truth. It reflects reality. If there is a discrepancy, then you audit the accounts by comparing to reality, e.g. paper sales receipts.
Sales receipts are not necessarily a spool of paper. It's just a separate log of individual activity/events and is the source of truth for the list of transactions. A spool of paper is easy to make/inherently tamper-evident (for the risk profile of a cash register), but cryptographically signed/sealed logs that are sent (spooled!) to a parallel system in tandem also qualifies.
If the "accounting software" is taking a shortcut by not recording an independent transaction log, the entire system is not very auditable.
The best way for subpostmaster to defend themselves in court is to get the Horizon to prove itself through double-column, and recouncilation of their own general ledger.
Unfortunately, in England and Wales, courts consider computers, as a matter of law, to have been working correctly unless there is evidence to the contrary. Therefore, evidence produced by computers is treated as reliable unless other evidence suggests otherwise. This way of handling evidence is known as a ‘rebuttable presumption’. A court will treat a computer as if it is working perfectly unless someone can show why that is not the case.
The really bothersome aspect to my mind is not that the first handful of sub-postmasters were erroneously convicted. It is that they would sooner believe 900(!) sub-postmasters were guilty of fraud and theft than that maybe there is something wrong with the software.
I'm pretty certain this is the same in the USA, too. Certainly you don't need a witness to lay a foundation for entering government web sites into evidence as they have a rebuttable presumption they haven't been tampered with.
per the submitted post, it seems that every time a sub postmaster manages to get an expert witness into court, the PO ends up settling out of court instead of continuing legal actions. For really good and pure reasons I am sure.
This is why expert defense witnesses are important, but usually only the prosecution (government) has the budget for an expert, or a competent expert. In the USA the courts are supposed to provide an expert for the defense upon request, but this rarely happens, or when it does, the budget is so small that nobody competent can be found.
> Unfortunately, in England and Wales, courts consider computers, as a matter of law, to have been working correctly unless there is evidence to the contrary.
Wow, not a single lawmaker there was ever a Software Engineer, eh? What a laughable presumption. The opposite would make more sense: Presume output of a computer is unreliable. Allow computers to be cross examined (through examining source code, interviewing developers and so on) and unless the hardware and software manufacturer can prove their systems' correctness, treat it as an unreliable witness.
I can relate to the reasoning behind the law as otherwise defendants would be arguing about every single instance of computer evidence and most computer evidence (e.g. logs) is reliable to some degree. I think there needs to be a way to distinguish between simple computer evidence that is recording facts versus complex computer evidence that requires detailed knowledge of the software involved.
Most people would consider a scanned invoice to be "simple computer evidence" but as mentioned elsewhere in this thread, Xerox scanners had a bug where they were changing digits in scanned pages.
There's no amount of "double-column" accounting that will fix the situation; Fujitsu can just submit false results much like they falsely claim the software results were valid.
It's not convoluted, just prosecute them for fraud/perjury. You presented the results of a computer program as valid even when you knew they weren't resulting in many false convictions.
It's a disgrace that no-one has been prosecuted for this travesty of justice. I don't understand how they were able to rely on falsehoods to get convictions and then not be prosecuted for perjury and conspiracy to pervert the course of justice.
There's also the issue of the Post Office "recovering" money from sub post masters that wasn't actually missing - that is surely fraud.
There needs to be some lengthy jail terms for the higher-ups responsible for overseeing this.
In the whole of history I only know of one prosecutor who was criminally charged for a wrongful conviction. And they weren't the one that did it. They just took a deathbed confession from their colleague and failed to report it.
It's been a while since I looked at this, but my recollection is that the essential smell is 'distributed transactions with unreliable connectivity and end-of-day synchronizations are hard'. Works 99.9% of the time; hard to test; impossible to debug failures after the fact without access to paper receipts or customers.
This is compounded by the system being delivered and operated by an outsourced vendor which doesn't have incentives that are aligned with those of the outsourcing organization, and the arms-length relationship to the sub-postmasters.
> As early as 2001, McDonnell’s team had found “hundreds” of bugs. [...] One, named the “Dalmellington Bug”, [...] would see the screen freeze as the user was attempting to confirm receipt of cash. Each time the user pressed “enter” on the frozen screen, it would silently update the record. In Dalmellington, that bug created a £24,000 discrepancy, which the Post Office tried to hold the post office operator responsible for.
> Another bug, called the Callendar Square bug [...] created duplicate transactions due to an error in the database underpinning the system: despite being clear duplicates, the post office operator was again held responsible for the errors.
At the high level, though, the controversy here is not any single bug.
The controversy is multiple bugs, and the failure to properly investigate or fix the bugs, and falsely telling subpostmasters nobody else was reporting bugs, and the software development process that allowed for such bugs, and the private prosecutions, and the people being wrongly jailed and bankrupted, and the justice system giving undue credence to electronic records, and the cover-ups like hiring forensic investigators then calling them off a day before they submitted their reports, and the threats to journalists, and the fact there were reports in computer weekly and private eye for many years, and the fact it's utterly inconceivable that the post office's senor management and legal team didn't know what was going on.
So we shouldn't focus on one or two major bugs and ignore the broader failings of post office managers.
As far as I know there has not. However it's been known all along.
> Jason Coyne, who worked for Preston-based Best Practice Plc at the time, was instructed to examine the computer system called Horizon in 2003. He said he notified the Post Office the data was "unreliable" but he was ignored, sacked, and then discredited.
>The 2016 investigation trawled 17 years of records to find out how often, and why, cash accounts on the Horizon IT system had been tampered with remotely. Ministers were told an investigation was happening. But after postmasters began legal action, it was suddenly stopped.
> He said he notified the Post Office the data was "unreliable" but he was ignored, sacked, and then discredited.
I always wonder if the high-ups who do these kinds of things actually reflect internally and recognize (at least in their own minds) how much of a Bond-villain they are, or if they really think they are doing the right thing by sweeping things under the rug and getting rid of boat rockers.
Dealing regularly with government officials who do this sort of stuff on a daily basis, I can promise you that they all appear to sleep very soundly every night.
That's what the inquiry is meant to do. British inquiries take forever and rarely yield any kind of justice, however.
tl;dr summary is that the root cause depends on your perspective. If you have a CS background you might define the root cause as being the bugs. If you have a management background, you might conclude the root cause was bad/malign management by the board, the civil service and the C-suite. If you have a legal background you might conclude the root cause was the unusual prosecutorial powers, the default assumption courts make that computers aren't wrong and so on.
As this is Hacker News let's roll with the first. There were many different bugs over many years and there was no single root cause. For example at least one case was caused by defective touch screen hardware that would go haywire when nobody was around to see it e.g. overnight, and start generating random clicks. Given enough random button pushes it was possible to ring up transactions that never happened, and thus never had money deposited in the till, creating phantom losses.
In other cases there was loss of transactional integrity. Database writes went missing or got duplicated due to race conditions, not helped by the original Horizon architecture in which the connection to the central DB was asynchronous, due to the existence of post offices in very rural places without good internet connectivity. It's what would nowadays be called a "local-first distributed edge deployment" or something similar. Lots of ways for that to go wrong, and if you don't have exactly-once execution in an accounting system it will appear that cash was stolen because the records say a sale or refund was made, but it wasn't.
> summary is that the root cause depends on your perspective.
This sounds like an exercise in obfuscating responsibility. Post Office management knew from 2003 Horizon was unreliable - they chose to bury the report. They lied in court about its reliability and manipulated expert statements to say the same. They also knowingly lied about remote altering of accounts and buried a report in 2017 on it. Let's not get lost in the weeds - the root cause of the injustice is Post Office management.
No I really meant from a technical perspective, what caused the computer system to be unreliable.
Management surely did not intend the system to be unreliable.
But I see your point, it follows the next question after "why is the system unreliable?" would be "why was the system not fixed?" and the answer is "management knowingly allowed it to be unreliable". But that's no longer a technical reason so it's less interesting.
> No I really meant from a technical perspective, what caused the computer system to be unreliable.
Replicating transactions across distributed systems is very very difficult. Horizon was clearly not designed to handle this based on the litany of errors users documented. Transactions could be silently dropped or duplicated etc. The system was also insecure and records could be silently remotely altered by Fujitsu staff.
True, but lets not get too Aristotelian about this. They are all worth looking at and all are true. They are also interlinked. Technical decisions would have been different if everyone put a high priority on correct operation. The high cost of the project ("it was the biggest non-military IT project in Europe.") created an incentive to over-up its failures.
> the default assumption courts make that computers aren't wrong and so on.
This is the most disturbing aspect of it to me. Nothing has been done to change this so it will happen again. It probably happens regularly on a smaller scale.
> It probably happens regularly on a smaller scale.
It does. Ross Anderson's Security Engineering describes how UK banks had customers prosecuted for fraud after criminals exploited bugs in chip-and-pin terminals to complete transactions without entering a PIN. The banks also successfully argued that their cryptographic transaction logs (which could definitively prove if a PIN was used) should not be admitted as evidence.
I always wonder, as it is known these software issues caused phantom losses for postmasters, was there also a number of phantom gains?
I would find it difficult to believe that these wouldn't have been reported by at least most of the postmasters, but I've never seen any mention of it.
https://samim.io/p/2022-01-24-a-computer-can-never-be-held-a...