Swift VII: No systematic problem?
An analysis of whether Parliament was misled by the summary of the report given to the BEIS Select Committee by then Minister, Paul Scully. It concludes they were, although who was responsible?
This is necessarily a long post as it analyses in detail the central findings of the review and how it was reported to Parliament. The first public information on the review said this (Paul Scully, Written evidence submitted by the Department for Business, Energy and Industrial Strategy (POH0006) March 2020).
Apr 2016 Preliminary conclusion of the review by the POL Chair finds no systematic problem with the Horizon system.
That description emerged in a written submission by a government Minister (Paul Scully) to a Select Committee in March 2020. The impression sought to be given here is fairly described as nothing to see here. As we shall see there was in fact a great deal to see.
Let us begin by considering two of the big concerns the report recommended Post Office action on.
Misleading parliament and others on remote access
Remote access, the ability to secretly access the Horizon system remotely and alter data within it, was a bone of contention until 2019. The Post Office denied secret remote access until part way through the second Bates trial.[1] You can see why it’s important. If secret remote access was possible, Hirozon shortfalls could be the fault of Horizon engineers in Bracknell, fiddling with the system to try and make it work. This was a central plank of the Panorama programme which seems to have prompted the Review.
Swift contains an extensive section on remote access. It said, in essence, this: The system could be remotely accessed by Fujitsu, to alter/inject account entries, and this could be done without there being knowledge on the part of SPMs or records of it, including through the use of fake digital signatures. The system was, in other words, insecure and this had not been disclosed to those convicted for Horizon shortfalls. It is important to emphasise the report made this clear to Tim Parker in 2016. The evidence that suggested remote access was possible came from a whistleblower (Richard Roll who appeared in the Panorama programme) but also, and this is what persuades Swift, from the consultants Deloitte in their reports to the Post Office in 2014. We note too that what Jenkins told Swift about remote access, if anything, when they met is not discussed in the Review document. One more strangeness to add to the others.
Swift took the trouble to underline the significance of these findings. The tenor and analysis would (or should) have impacted on how readers of his report understood the significance of what he was saying:
1.45. It seems to us that the Deloitte documents in particular pose real issues for POL. First, both the existence of the Balancing Transaction capability [which made remote changes to transactions] and the wider ability of Fujitsu to 'fake' digital signatures are contrary to the public assurances provided by Fujitsu and POL about the functionality of the Horizon system. Fujitsu's comment we quote above seems to us to be simply incorrect, and POL's Westminster Hall Response is incomplete. To the extent that POL has sought to contend that branch data cannot be remotely 'amended' because a Balancing Transaction does not amend existing transactions but adds a new one, we do not consider this is a full picture of Horizon’s functionality. The reality is that a Balancing Transaction is a remotely introduced addition to branch records, added without the need for acceptance by the SPMR, which affects the branch's balance; that is its express purpose. POL has always known about the Balancing Transaction capability, although the Deloitte reports suggest the digital signature issue is something contrary to POL's understanding.
This shows that Post Office has been misleading others about Horizon functionality, a functionality which Swift says it had always known about, even though it may not have understood the added alarming detail about faking digital signatures. This comes close to saying, without quite doing so, that Post Office’s public position has been deliberately misleading. It is delicately put, perhaps partly because Swift does not need to determine whether people knowingly or recklessly misled parliament, perhaps partly to soften the blow for their client.
Given the potential for independent reviews to be opportunistically read, this is a regrettable approach. A better approach would have been to consider the impact of misleading information flows on Horizon management in general and into the Review in particular. Moreover, clarity about a matter of such concern is paramount if they are to ensure their Review’s lessons are properly conveyed to the client and others who might be misled by it. A critical question is why was a misleading position, known to be misleading, being conveyed publicly; what dos it say of the culture around Horizon.
An important further point is that Tim Parker chaired Post Office through the Bates litigation (and may have chaired the relevant litigation sub-committee). In that litigation the idea that ‘secret’ remote access was possible was denied as a significant element of the defence until mid-way through the second major trial of the matter, yet he was told this was possible in early 2016.
The remote access point is, of course, evidence of a weakness in the Horizon system but the pill is sweetened in what follows next from Swift. Only one instance of remote access being used had been indentified, they said.
146. We recognise that the existence of the two matters highlighted by Deloitte are most likely to be wild goose chases. It is improbable that they have been used beyond the identified instance. However, in the light of the consistent impression given that they do not exist at all, we consider that it is now incumbent on POL to commission work to confirm the position insofar as possible. Accordingly we make a recommendation to that effect.
Saying following up on remote access would be a wild goose chase is a surprising claim in the light of Richard Roll’s evidence to the Panoroma programme to which the Review refers. Roll indicated there were “lots of errors” when they “went in the back door and made changes” (para. 87). Swift does not evaluate those claims. Indeed, Roll’s view is treated with careful disdain (at para. 137 Roll’s comments are minimised as ambiguous and unclear. “It is difficult to deal with or respond to those comments as a result.” (para. 136)). This is a somewhat strange approach given the much more detailed description of Roll’s allegations garnered from Second Sight (para 142, footnote 8). and given they recognise in another section of the report a plausible basis for Roll’s statements, “that Fujitsu would use the functionality to correct system bugs without drawing them to the attention of POL or SPMRs in order to avoid any form of contractual penalty” (para. 142). Curiously, Second Sight appeared to hold evidence of what Roll’s allegations were which the Swift Review did not appear to seek (para 145, footnote 8).
Given that the Swift Review has spotted that Post Office has misled others about this functionality when it knew better; given the concerns of the SPMs; given Deloitte’s view that further checking of the impact of bugs on accounting errors could be expected (see below); and given Roll’s statements to Panorama, it is surprising that the mollifying wild goose suggestion was made. It may simply reflect the client-friendly structuring of the Review which we have commented on already, it may be a response to lobbying by Post Office, or be it may be a genuine view at the time; but it is certainly an odd phrase to use.
It is also worth emphasising that it is in the context of the remote access problem that they note the problem with Gareth Jenkins’ evidence discussed in a previous blog. He is noted to have omitted any reference to remote access functionality in his evidence (para. 147) and clearly knows about it given as he discussed it with author of the Rose report (para. 132). As they spoke to Jenkins a critical question is did they ask him about remote access and the extent of its use. If not, why not? It would be an omission of substance.
That they also recommend remote access be considered for disclosure to the Criminal Cases Review Commission shows they understand the materiality of the problem of remote access to potential appeals and defences, but they hedge that recommendation with the suggestion it need be done only on the advice of independent criminal counsel. As with yesterday’s post, one wonders if this road led back to Brian Altman QC.
Pressuring to Plead Guilty
A second area of strong concern voiced by the Swift Review is Post Office prosecution practice around charging and plea. The Review is plainly concerned that SPMs may have felt improperly pressured into pleading guilty to false accounting by inadequately supported theft charges.[2] Again, the emphasis in the text is striking:
this issue is one of real importance to the reputation of POL, and is something which can feasibly and reasonably be addressed now ….Cartwright King were not asked to consider the sufficiency of the evidence when undertaking their disclosure review. We do not think it is safe to infer that any advice Cartwright King gave on POL's position on any appeal must have involved a full evidential review. The allegation that POL has effectively bullied SPMRs into pleading guilty to offences by unjustifiably overloading the charge sheet is a stain on the character of the business. Moreover, it is not impossible that an SPMR would have felt pressurised into pleading guilty to false accounting believing it to be less serious when they might not otherwise have done so.
This is emphatic language on a potential problem with prosecutions, but that is not the only point of concern about how the Review was reported.
Were problems systemic? Was Parliament misled?
We can already see that there was a sytematic vulnerability in Horizon: secret remote access and there was a worrying pattern of problems in prosecutions. Although the minister at the time, Mr Scully, tells Parliament, that there are, “no systematic problem with the Horizon system,” at no point does the Review say that. The Review does report approvingly Second Sight’s interim report finding that there was no evidence of systemic problems with the Horizon software (para. 64) but also reports Second Sight’s view that, Horizon “can be systemically flawed from a user perspective” (para. 83.14) along with 19 “thematic” [a synonym of systematic?] concerns that Second Sight recorded (including finding that, “Horizon was insufficiently error repellent”, para. 82 and (at para 83): vulnerabilities associated with ATM data; “fundamentally flawed” accounting for foreign currencies; problems with lottery card systems and approaches; the inadequacy of helpline support; delays in the issuing of transaction corrections; remote access being possible without SPM knowledge; difficulties in detecting cash errors; losses caused by power and telecommunications errors; failures to detect acknowledge and improve “system and procedure” flaws once such flaws are exposed; and shortfall investigations focused on asset recovery rather than uncovering root causes).
These largely systemic problems related to the operation of Horizon not the software itself. It is a distinction of limited importance to anyone save, perhaps, Fujitsu as its authors yet the review chooses to dwell on the software as ‘the system’. The Review also largely rejects the thematic concerns:
122. We have reviewed a considerable amount of documentation concerning those thematic issues, including: the Second Sight Reports; POL's responses to those 42 reports/ including in draft Spot Review paperwork; witness evidence provided by Fujitsu in the course of criminal and civil trials which explain some apparent concerns; and the detailed investigation work clone in POIRs and CRRs for a sample of the Scheme cases. While we recognise that not every issue raised by SPMRs has been the subject of a categorical answer or explanation (still less an accepted one), we consider that is inevitable in circumstances where the events in question happened some time ago and an understanding of how the problem arose is dependent upon an accurate explanation on the part of the SPMR.
In essence, they are sceptical of the SPM claims, somewhat archly praying in aid Second Sight’s view that often errors were caused by users at the counter rather than ‘the system’ and saying too much time has elapsed in the main to investigate inadequate advice and training. A particularly important example of such a concern is the claim that following helpline advice shortfalls often doubled. The Swift Review metaphorically shrugs its shoulders, “Working out now whether the SPMR identified the correct problem, or the NSBC gave the correct advice is not likely to be possible.” (Para 152(6)) Swift seems to recognise that the NSBC helpline may have been responsible for some of the losses inflicted on SPMs, but suggests only something rather inadequate can be done about it (some cross-referencing of complaints about helpline advisers with their HR files to see if complaints about advisers were supported in their HR records).
The Review comes closest to the words Mr. Scully used when saying (para. 95):
We emphasise that none of the Second Sight reports identify systemic flaws in the Horizon system likely to have caused the losses incurred at the Scheme branches. Rather, operator errors at the counter is the usual cause identified by Second Sight (with the likelihood of those errors being exacerbated by a problems in training and support).
In that sense the Review was reassuring to the Post Office. They do recognise, in contrast, that software bugs had caused identified losses, not all of which appear to have been corrected (para 118.5) but that is not said so clearly as para 120, “We have seen nothing to suggest that these specific bugs identified have been the cause of wider loss to SPMRs in the Scheme cases or otherwise.”
That is quite a limited claim given they acknowledge indirectly elsewhere that the evidence base is incomplete: the potential for software errors to cause shortfall losses could (and perhaps should) they say be better investigated. Deloittes indicated to Swift an expectation that top-down analysis of transaction logs, “could be expected to be carried out across the relevant dataset” which would provide, “greater certainty that there was no bug which had affected some of the Scheme branches.” (paras 126). In other words, that testing might reveal bugs which Post Office and Fujitsu had not discovered but which had caused losses in branches of those complaining about Horizon (or others). The trouble was it was expensive, but it is an important caveat to the claim view that no systemic error had caused relevant errors.
Another finding of the Review, somewhat contrary to the assertion that no bugs had led to relevant errors is the recognition that unmatched credit balances in Post Office’s suspense account might “reflect uncorrected transaction discrepancies in particular branches” (para 173). We understand this to mean that Post Office may have failed to spot or correct errors and held the money which they might in fact owe to some of the SPMs. The implication, not explicitly addressed by Swift, may be that money that was said to be missing in branch was sometimes not missing at all, it might have sat in Post Office’s suspense accounts.
On this basis Swift’s own conclusion that the software had not led to problems which had been the subject of prosecutions is qualified by these two findings (further testing could be expected to be done which might reveal further bugs and the suspense accounts needed investigation) but in ways which are not emphasised in the report as caveats to the view that, “We have seen nothing to suggest that these specific bugs identified have been the cause of wider loss to SPMRs in the Scheme cases or otherwise.” They have seen two things plus the remote access evidence to suggest otherwise. The truth is this is a claim, not properly caveated, and made on a shakey foundation even on their own analysis.
Whatever criticisms one might make of the way in which Swift arrives at and presents its findings, their recommendations, the closest thing to a summary of the report, only point to the need for further work which could or should be considered by Post Office and the tenor of the reporting on two issues they cover is quite strong. These things together would not present a rosy picture of Horizon to a fair reader of the report. The Review plainly refers to systemic problems with the Horizon software (remote access) and the systems surrounding Horizon. The summary presented by (and presumably to) Mr Scully is fairly described as misleading, whether it was done deliberately or otherwise. The Review itself lacks an executive summary, and this may be one thing that could have been written to try and avoid misreporting. Instread it used its recommendations as a conclusion. They indicate their advice to the Chairman as follows:
(1) Legal advice be sought from counsel as to whether the decision to charge an SPMR with theft and false accounting could undermine the safety of any conviction for false accounting where (a) the conviction was on the basis of a guilty plea, following which and/or in return for which the theft charge was dropped" and (b) there had not been a sufficient evidential basis to bring the theft charge.
(2) If such a conviction could be undermined in those circumstances, that counsel review the prosecution file in such cases to establish whether, applying the facts and law applicable at the relevant time, there was a sufficient evidential basis to conclude that a conviction for theft was a realistic prospect such that the charge was properly brought.
(3) POL consider instructing a suitably qualified party to carry out an analysis of the relevant transaction logs for branches within the Scheme to confirm, insofar as possible, whether any bugs in the Horizon system are revealed by the dataset which caused discrepancies in the accounting position of any of those branches.
(4) POL instruct a suitably qualified party to carry out a full review of the use of Balancing Transactions throughout the lifetime of the Horizon system, insofar as possible, to independently confirm from Horizon system records the number and circumstances of their use.
(5) POL instruct a suitably qualified party to carry out a full review of the controls over and use of the capability of authorised Fujitsu personnel to create, amend or delete baskets within the sealed audit store throughout the lifetime of the Horizon system, insofar as possible.
(6) POL seek specialist legal advice from external counsel as to whether the Deloitte reports, or the information within them concerning Balancing Transactions and Fujitsu's ability to delete and amend data in the audit store, should be disclosed to defendants of criminal prosecutions brought by POL. This advice should also address whether disclosure should be made, if it has not been to the CCRC.
(7) POL cross-reference specific complaints about misleading advice from NBSC call-handlers with the possible employees who provided that advice and consider their personnel files, where available, for evidence as to the likelihood that the complaint may be well-founded.
(8) POL commission forensic accountants to review the unmatched balances on POL's general suspense account to explain the relationship (or lack thereof) with branch discrepancies and the extent to which those balances can be attributed to and repaid to specific branches.
Whilst it might be technically correct to say, as Scully’s written answer did, that the Review found, “no systematic problem with the Horizon system” in the sense the Review emphasises (as another example of framing helpful to the Post Office) the software is the system, saying there is no systematic problem is misleading given of the report’s recommendations at paras a to f. As we have seen, the point about plea bargains and remote access were emphasised with quite strong language in the Swift Review itself. Indeed, it seems fair to suggest several of these points raise undamental weaknesses in the Horizon system properly conceived.
We will turn shortly to how that misleading summary came about…
[1] Bates No 6, 539
[2] They view this as applying to 18 cases (para. 100).
[3] The limitations of their expertise are mentioned in the previous paragraph. We would not want to labour the point, but such a critical, positive statement needs the qualification resting alongside it.
[4] Inappropriate pressure to plead and the failure to disclosure remote access in particular.
[5] ~ Richard Moorhead, ‘The Levitt Report: Independence Frayed’ (Lawyer Watch, 11 September 2021) <https://lawyerwatch.wordpress.com/2021/09/11/the-levitt-report-independence-frayed/> accessed 21 October 2021.
[6] Moorhead, Nokes and Helm, ‘The Conduct of Horizon Prosecutions and Appeals, Post Office Project: Working Paper 3’ (n 4).
[7] Altman et al (n 21) para. 14.2.