Remote Access and Systemic Bugs

Yesterday’s evidence from Mark Davies yet again focused on the Remote Access Issue and POL’s stance that Second Sight had found no evidence of Systemic Bugs in Horizon.  I think that there is a common misunderstanding of why these are important issues.

Remote Access

It took such a long time to establish that Fujitsu always had and still have the ability to amend branch accounts with or without the approval of the Subpostmaster.   I think the time it took is the reason why the underlying issue has been almost forgotten, overlooked and has caused polarised opinion on its effect.

Nobody has ever suggested that within Fujitsu and POL there is a team (and it would take a team) of dedicated fraudsters who have remained undetected since 2000 and who have extracted for their own benefit millions of pounds from unsuspecting SPMRs.   That is a very remote possibility.

What is possible though, and proven to occur in the GLO, is that the ability to alter accounts remotely was used by Fujitsu and POL to correct errors in the system and that when they did this mistakes were made and branch accounts were affected to the detriment of SPMRs.   These mistakes probably didn’t happen very often but the fact is that they did and could happen.

This issue of Remote Access then is really to do with the investigation of discrepancies in branch accounts that led to so many false prosecutions.   Each and every investigation had to rule out the possibility that the branch accounts in question had not been subject at any time to a mistake when Remote Access was used.  FIRST.   Even before the SPMR was questioned as to the discrepancy in their accounts.

If it was possible to alter the accounts without the knowledge of the SPMR then it had to be ruled out before any other possibility could be considered.

There are so many problems associated with doing this from a POL and Fujitsu perspective that the short answer is that they could never have considered checking this possibility. We already have some idea of the time and cost of extracting ARQ data for a selected period but to do this for possibly many years of data would not be worth the effort.

The main problem of course – if they could sort out a way to provide to the court a reliable and auditable set of records to show that Remote Access hadn’t happened – was publicising the fact that they could and did alter the accounts remotely from time to time.  Once they admit to that then there are no prosecutions period.

One other way to look at it is the significant difference that Remote Access makes to the Accounts signed off by the SPMR before and after the introduction of Horizon.   In the previous paper based system there clearly was no possibility of remote access to the piece of paper the SPMR signed off as being a true reflection of his branch’s accounts.

Yesterday Mark Davies underlined the fact that POL have never to this day grasped this explanation of why Remote Access is so important.   So deeply ingrained in their belief that the quest of campaigners to establish that Remote Access was possible was in itself a red herring, they failed to realise the significance it has on past prosecutions.

Systemic Bugs

There is an email from me to Mark Davies doing the rounds about AvdB and how wonderful he thought she was.   Strangely that resulted from my attempt to explain to him what the word systemic meant in terms of bugs in a computer system.

I really do bang my head against the wall when I try and explain to people like Mark the difference between his interpretation of what systemic means and mine.

Mark’s concept of Systemic is in fact Systematic.   In effect a bug that affects every node in the network simultaneously.   An example would be that the price of a First Class Stamp is 67p and by mistake the system charges the customer 76p.   Bugs like these would be extremely obvious to users precisely because they affect every branch and there are thousands of similar transactions every day.  It would not go unnoticed and it would be fixed quickly.

Intermittent Bugs are a subset of systemic bugs.   They are caused by unlikely, unknown and random set of circumstances that could affect one or more nodes at any given time.    The effect of the bug would probably NOT be obvious to the user and what caused it to occur would be hard to identify and replicate.   

The Dalmellington bug was an example of an intermittent bug.  The SPMR performed the same process week in and week out for years both before and after the bug was identified yet one week she ended up with a £24k loss at her branch.   It had existed in the system for years and had occurred many times in random branches and could and probably did account for significant losses in branches.   All the bugs I have seen and written about are Intermittent in nature and could have caused losses in Branch Accounts.

The point about intermittent bugs that needs to be understood in much the same way as Remote Access is the effect they have on prosecutions.   That is where the reliability of computer based evidence kicks in and is much discussed by experts elsewhere.   

Yesterday, and I will have to check the transcript, I think Mark Davies stated that POL only found out about the KNOWN ERRORS LOG in 2019.   Forgetting the idiocy of that particular statement, the simplest and most effective way of understanding the Known Errors Log is that every entry in it, and there are thousands, were UNKNOWN ERRORS before they were discovered and they existed in the system undetected for years.

I am not entirely sure how a defence could not have extracted from Gareth Jenkins the obvious inference above.   E.g. MrJenkins, how do errors in your system become known and entered into the Known Errors Log?   Before that I take it they were unknown?  So how can you be sure an unknown error did not generate the discrepancy in branch accounts?  Are you willing to admit that there may be as yet unknown errors in your system that affect branch accounts?

Here is the emailI I wrote to Mark Davies in 2015 shortly before the Dalmellington Bug was discovered.   He didn’t want to listen then and he has not listened since.  

Tim McCormack <t.j.mccormack@outlook.com>

Fri 11/09/2015 17:51

To:​Mark R Davies <mark.r.davies@postoffice.co.uk>​

Hi Mark

If you wish to get involved in this great.  Twitter – which I am very new it is not the medium – but it is far more powerful than I realised,

Clearly I am a protagonist of the current ‘establishment’ at POL – no longer an SPMR but keen to see a change in attitude from POL that will protect the future of the network’s unique position in and around the UK High Streets and Villages.

We have the same goal but different visions on how to get there.

There are many issues on the table but for now – should you wish to engage with me in discussion – I’ll keep it to one issue and within that to one word – ‘systemic’.

As the mouthpiece of POL I understand it is your job to defend in Public POL’ position on the Horizon problem.  

The trouble is that Paula is adamant that there are no systemic issues with the software.   She just does not understand what ‘systemic’ means.

You cannot keep relying on millions of transactions per day across the network working as an excuse.  It only takes one transaction to go wrong and that transaction could be indicative of a ‘systemic’ failure.   Over the years I have collected enough evidence to show that this happens on a regular basis (not just the examples I have shown like Labels).

My dialogue with PV and Ms VdBogaard at the end of last year showed me that they couldn’t grasp the concept of what constitutes a systemic error and they remain oblivious to the shortcomings in the help desk that would be the central source of information that would lead to these errors being identified.

As an example – if I were to press an unexpected (by the software) sequence of keystrokes and it resulted in an unexpected event that would be classed as a bug.  I trust you agree.

That then is an example of what would be classed as a systemic bug because if an operator accidentally pressed the same sequence of keys in another branch then the same unexpected result would happen.

Take then the SPMR who called in to the Help Desk and reported the issue.  How do they explain what happened if they don’t recall what keys they pressed?  How does the help desk report this up the line to someone who could identify the problem?  It all starts to fall to pieces then doesn’t it?

You will no doubt have seen my new blog – if it doesn’t reveal I am as passionate about the future success of the network as anybody even though I no longer work within it then I would be surprised.    But it is all a bit of a mess – Paula has no future there – she has to go in order to provide an opportunity for her replacement to be contrite and accept the mismanagement of the past – call Paula a scapegoat – and I am sorry for her in one sense – but she had a chance and failed.

Up to you if you want to converse with me and if so I promise it will remain strictly confidential between us.

Cheers, Tim