One of the worst things in life is being accused of something that you didn't do. I can't imagine how horrible it must feel to go to jail over a software glitch...
It wasn't the software bugs which were the issue, it was the attitude of Fujitsu and Post office management who lied about it to the court. The post office have the ability to prosecute without an external body reviewing the evidence. This is a hangover from when it was a state monopoly.
Our local sub-postmaster used to print out a duplicate receipt for every transaction even somebody wanting a stamp and keep a copy. Post Office once said he was short and had the duplicate paper receipts to prove he wasn't. It cost him a lot of money for the extra paper rolls and ink cartridges but he said it was worth it.
Sounds like the easy fix here would be to have the stamps go through a printer and print the transaction details on the stamps. If it doesn't have that, it wasn't sold. If no one shows up with stamps that weren't sold, then all were paid for. If everyone knows the transaction details are to be printed, they won't accept stamps that were never sold. Basically you make the inventory worthless and add value at the instant of sale in the form of an electronic paper trail behind it.
I followed this case in Private Eye over the years, and it was clear from the start that the Post Office knew it was more than a coincidence that so many postmasters were coming up short, but it seemed that they just didn't want to lose face by admitting there was an error, so carried on prosecuting and prosecuting. Absolutely scandalous.
@@rcmrcm3370 That was clearly persecution. Not prosecution. The Post Office scandal was the same. If the computer says you stole the money. You're guilty. That's all the "evidence" they needed. Lord Hoffman didn't even know about software. He said "computers can't make mistakes". If you denied stealing the money. You're guilty. It was a lose-lose situation for innocent people. If this was in 1635 it would be expected. But this was all post 2000. Why did the Post Office suddenly stop prosecuting around 2012???
You know I remember a Labour MP telling me at some social event how much he hated Private Eye because it was all unsubstantiated rumours and gossip... this scandal put that comment in context.
@@forthrightgambitia1032 It's not. That's why Private Eye invite people to sue for libel. That MP is frightened Private Eye will find out something. It's like Order-Order. They expose corrupt MPs. Can I ask. Was that Labour MP involved in the expenses scandal.
I’ve worked in IT for 40 years dealing with various banking, payroll and other finance systems. One of the big things I’ve learnt is that with any complex system that no matter how much you test any error should be assumed to be in the system and not fraud. Of course fraud happens but before you start prosecuting anyone you better be really certain that it is not a system issue.
I agree in general, however when the whole point of a system is to specially detect fraud, it would be easy to assume it was a success. Those who knew about the problem likely lied to those lower down the food chain who saw the occasional sub-post office issue out of the 11,000 branches. To most in the PO, it was doing exactly as it was designed, catching fraud.
3 года назад+423
The real scandal is that the court automatically assumed that the digital data presented is correct and trustworthy. That is the main topic of our times: Are our digital systems trustworthy enough to count as evidence in court? Perhaps Computerphile should invite Ross Anderson again for some basic security engineering lessons. ;)
The real real scandal is the Post Office board KNEW and had had discussions about issues with Horizon, they KNEW these types of issues could arise and they explained the mysterious losses... yet they still prosecuted sub-postmasters for fraud and gave evidence in court KNOWING it was either false or at best misleading... The software had bugs, that was part 1. Part 2 was the post office board lying about it in court when prosecuting sub-postmasters. The court assumed the data was valid because the post office lawyers told them, and gave evidence saying there was no way the data was wrong... knowing it was. Considering the scale of this miscarriage of justice the board members of the post office present at the time who knew they were being prosecuting sub-postmasters knowing the evidence was not 100% what they said it was should all face the repercussions.
"Are our digital systems trustworthy enough to count as evidence in court?" Open source, peer-reviewed software should be a requirement for such "accept as fact"ness.
@@ConstantlyDamaged plenty of open source, peer reviewed software has bugs in it. Some quite serious.
3 года назад+9
@@ConstantlyDamaged Peer review ensures that you program does what it is supposed to do. All States should run auditing programs to ensure the software we trust these days (e.g. TLS,SSL) works as intended. But how do you proof that your final data is not tampered with? What we have learned from Microsoft is that signing does not work to ensure the data integrity, if the chain of trust is broken in one link. Analog evidence works because there is no other chain of events possible (or unlikely). Think why electronic voting is a bad idea, now take the principles and apply it to data 'evidence'.
This is something that's concerning as there is a push to trust serious decisions to software "solutions" that promise magic, or their capabilities are misunderstood.
This whole story warrants a lot more conversation in the software industry. Going forward it should be required reading alongside the Therac-25 scandal. It also demonstrates the issues with blindly trusting computer programs without any compassion for real people. The many stories of those who were prosecuted, fined, jailed, some of them dying before their verdicts were overturned, are heartbreaking.
@@forthrightgambitia1032 Indeed, the problems extended far beyond the software. I hope this case is also shown to aspiring lawyers and MBA types about the dangers of their work also. Nevertheless, other engineering disciplines (civil, mechanical, electrical) are seen to be held to a higher standard because of the immediate physical harm they can pose. As the use of software extends further into all aspects of our lives, those of use who write it need to understand how it is being written and confront the ethical challenges that may pose.
More and more I think being taught about Therac-25 and space shuttle bugs and the like is a bad idea, because it insulates you as a software engineer from these problems. The message is "if you write medical grade software or nasa-grade software you should be careful", when the real lesson is that you should *always* be careful. If you're writing accounting software, or knocking out some python to do some research, or cranking out boring enterprise internal reporting, you always always always need to care.
This was an absolute scandal and ruined people's lives. The power the post office had under an ancient law to privately interview the accused in police stations supposedly under caution and hide other cases from them was egregious and compounded the problem. My heart goes out to the victims who have suffered from these baseless accusations. I recommend all SW engineers and system designers listen to the BBC and guardian podcasts on the subject to appreciate how important it is to get these things right and show true due diligence in their profession. Don't be afraid to call out issues you might see in any systems you work on. Anthony (semi-retired SW engineer).
Our local supermarket is infamous for sending all their cashiers to jail… They claim that they all steal money… First they fine them for inconsistencies in data on their terminal, then if "theft" continues they call the police… They've sent maybe a dozen people to jail... Their system often doesn't work... Sometimes you need to retry paying with a bank card several times for the payment to go through... Sometimes the payment goes through, but the receipt printer hangs... Sometimes their system can't find the product ID when they scan the barcode... The cashiers are instructed to unplug their terminal from the mains, and plug it back... I wonder if all those cashiers were indeed innocent...
It’s a disgraceful story. Distributed transaction processing with two-phase commit was sorted and implemented in the mid-1980s. If systems today are failing the ACID test it’s due to incompetence by the system designers.
Exactly and God only know what other system are built this way I belive it is intencional to of course get a Lil some something in thei pocket I belive these "flaws" are inbeded on purpose for the same reason it is truly a shame
@@xxz4655 lols, people are lazy and take shortcuts, or want a system produced for the cheapest possible price and damn the consequences is how the world operates, and these things happen. Not some conspiracy to produce deliberately broken software.
Very true. Today's demand for a software developers is so hi that any people even with very basic skill (able to write some code and it compiles with no errors) are worthy and get employed. The average level of today's programmers is very low.
Management, not software devs are the ones ultimately responsible for the behaviour of the software as they commissioned it, supervised it and signed it off. Most of these software devs were underpaid and forced to work to badly defined, illogical and half-arsed specs and expected to perform miracles against unrealistic deadlines set by smooth talking, ignorant and greedy management who wanted to make a quick buck.
@@forthrightgambitia1032 A programmer that knowingly writes bad code with no excuse beyond "my boss told me to" is still very much responsible for their actions.
As a mainframe guy of many decades and with a knowledge of CICS transaction system( Mostly banking and Airline booking systems) I find it incredible that this Horizon system seems to have little system integrity. When testing any new systems I would routinely turn off Modems, Servers and Terminals (and pull out cables) randomly in the Acceptance phase of the testing cycle. Only with 100% robustness would a system pass muster. But the greater crime in this sorry saga is that the Post Office pretended that this was an isolated incident for each sub-post office in trying to cover up this fatally flawed system, allowing pregnant women to go to jail rather than admit their error. And finally did the tax-payers ever get their money back from Horizon?
Mainframe guy here too. I remember back in the '80s the bean counters got even more involved in IT and decided that mainframes were far too expensive and that a DEC/VAX Unix system replace it. They refused to listen to the many arguments against such a move - most of which revolved around data (and system) integrity, recoverability and ease of use. The single reason why I left the company.
Someone said the system used XML extensively but the XML schemas used were incompatible between one machine and the one it was talking to, causing the receiving machine to drop the data on occasions.
I once ordered at Burger King through these touch screens. Right at the point of paying, the system froze and did a reboot. No receipt printed, no order placed, but money withdrawn from my account... What a struggle that was to explain.. 🤦♂️ Bad code is out there, even at big companies..
I had the same issue with them. Paid with my mobile but their billing system never got the payment notification and never printed the ticket. I showed them my virtual receipt, they wrote the operation ID and fulfilled my order. The difference is BK doesn't have touch screens here.
That's because Burger King is trash. I went there a couple years ago; waited 20 minutes for a simple order which ended up giving me food poisoning. Thinking it was a problem with that BK location, I continued on with my life. Fast forward two months, I'm on the other side of the country (US) and I decide to have some BK because they can't all be bad right? Wrong! I get food poisoning again! The stuff they serve isn't even food, and the only requirement to work there is that you have a pulse. Other fast food restaurants are miles above BK and they're still not even that great
@@harleyspeedthrust4013. Did you see the recent law case where an employee of a fast food shop successfully sued his employer for wrongful dismissal after he was sacked for not washing his hands? I think it was in Canada.
Had the exact same thing happen in McDonalds a few years ago. Tapped my debit card and the kiosk then blue-screened and rebooted. Saw it was running Windows 7 Embedded.
Any company or government entity in this situation would have immediately sued a multi billion dollar corporation like Fujitsu for screwing this up so royally. The fact that the Post Office hasn't even hinted at doing that, makes me think there were some major kickbacks to some post office people when the contract was rewarded to Fujitsu, and they want to avoid that being discovered. It would also explain the ridiculous lengths that the post office went to in order to blame the local post masters, when it was extremely obvious to anyone with one brain cell that the Fujitsu system was a flawed mess
I'd not considered that. Could be. I do struggle to understand why the post office has been so belligerent about this, particularly as it's not a private organisation where profit is the only goal.
I’ve had a problem similar to this before, a meal payment transaction system would charge you without checking to see if the order had actually been successfully received. Bad code does show up often in the world.
I've had the opposite where one of the smartcard vending machines at work would top up your card but fail to signal to the server that it'd completed the topup. You could just keep putting the same £10 on your card as many times as you liked.
These kinds of bugs are remarkably easy to get. I had to fix a bug in a client's webshop that would sporadically get way more stock in thewebshop than they actually had. Turns out there was some sort of denial of service-ish thing where robots where trying to reserve as many items as they could. But ofcourse if you never actually purchase then the system will remove your shoppingcart and return the items to stock. Turns out that if people where reserving items while it was getting returned to stock the deleting of the cart would fail and a little later the same cart would be deleted again and presto; more stock than you started with. That disappeared when I implemented transactions. And yes I notified the author of the shop and basically told him to go and learn how databases work.
Well, it should be remembered this was built in the dark days before unit testing and agile development were common, where complex systems got built from nothing then tested on bulk by clunky test scripts written by non-developer testers.
@@forthrightgambitia1032 That is, more often than not, still exactly how systems are built today. Agile is commonly just a word that's bandied around, writing tests often takes three times longer than writing the production code it's testing so immediately falls by the wayside when push comes to shove, and the vast majority of QAs are not developers.
@@davidf2281 sure. Though at any half decent tech company this is definitely not how it is done (I speak from experience.) CI running automated unit tests and code reviews that demand unit testing are pretty much standard in those contexts. The fact that many mediocre software houses still follow these prehistoric patterns is why companies like Infosys have eaten their lunch: why pay a premium for crappy cowboy efforts when you can pay bargin basement prices for the same thing. Also if writing unit tests takes 3x longer you are doing it wrong. Well constructed classes and mocking mean it should take about 1.5x-2x the time, and actually less when you factor in bug fixing and patches that come from not testing it.
@@forthrightgambitia1032 I also speak from experience, and I agree with you in general. Trouble is, development is expensive and devs are often mediocre chancers, but the client usually can't tell and wants it done yesterday for the lowest cost possible. I don't think this will ever change.
@vinny142 The fix that you're describing is not for a distributed system. Imagine having a head office and a branch working with separate databases (because they don't always have a connection, remember it's early 2000s). You cannot simply do everything in one go, that's why you need consensus and recovery.
I’m on episode 3 of the itv drama and needed a break because it (I) was getting a bit emotional, came to RUclips and this was the first video in my recommendations. This is a great explanation from the tech point of view! Now I just need to find the strength to finish the drama!
after that you might like to research the code written by Professor Neil Ferguson of Imperial college which predicted 500,000 Covid deaths & scared the government to death in March 2020. He wrote it himself apparently & it never came up with the same answer twice.
I think Toby Young is one fine actor but I couldn't watch the series because I knew it would make me angry having read so much about what happened to all those fine people. I hope they find some peace now they have been vindicated, may those who have passed because of how they were treated rest in peace.
I worked in IT in the 1990s, not for the PO or Fujitsu. It was an open secret in the industry that the system was an utter shambles. The BIG question is that The Board of the PO rejected the distemper in September as having major issues that they could not implement it. However, 4 weeks... 4 WEEKS later they approved it and signed it off... WHY? I smell corruption and this may explain the 2013 cover-up.
@avtar1699 before any major system is accepted as delivered, the final interation is presented to those responsible for approving the acceptance, in this case the board of Post Office Ltd. In Septembet 1999 the final iteration was presented to the board who rejected it for not meeting 80% of the criteria required by the agreed specifications. This was then escalated to the Cabinet for a decision. Gordon Brown recommended scrapping the system but diplomatic pressure was put on the government by the Japanese and Blair decided to tell the Board to re evaluate their decision thinking it could be fixed on the hoof..the problem was that with coding, like in construction, if your foundations and architecture are at fault, which they were with Horizon which should never have been released, then it doesn't matter what you do to fix it, those problems will always be there. Blair should have scrapped it and re tendered the project.
@@HarryFlashmanVC This is why we need far more professionals in government. Politicians don't understand the risks, nor are they ever held responsible. Matt Groening's Schwarzenegger President 'I was elected to lead, not to read' was on the nose - uncomfortably so - and the consequences depicted in the movie were absolutely a parody of what actually happens. I have commented elsewhere, but the decisions that led to the compromising of the RBMK reactor design come to mind.
This was huge, people lost their livelihoods and were accused of theft and fraud and every case wrongly won by the post office against the sub postmasters was a gross miscarriage of justice. There was a woman local to me who's even own family thought she was taking money and this is a perfect example of when you should know your users. There was also some evidence of the post office and Fujitsu the supplier knowing that there were issues and remained silent while people went to jail and in one case ended their own life. (Allegedly)
@Aidan Crane "...a gross miscarriage of justice." My understanding is that justice was carried out properly and thoroughly, no laws were warped or twisted. The problem lied with "justice" being ethically barren in those circumstances.
@@jasonc3a the problem lies with the justice system being vulnerable to sophisticated lying. Hence why perjury is such a serious crime. Unfortunately the figures involved here are the "right sort of people" not likely to suffer perjury charges.
@@jasonc3a Don't twist the meaning of justice; justice is always virtuous and right. The courts did not carry out justice because the laws and the processes are not always just.
I'm surprised this sort of thing doesn't happen more often. Once you replaced the mainframe guys who were very, very careful about ACID compliance with a bunch of Java guys in the 90s and 00s who had never heard of ACID correctness and then tried to get it to work across multiple, disparate systems with no global transaction rollback was sure to break somewhere.
Couldn't agree more, as someone who has been trained by mainframe oldies. i still find it almost laughable at the approaches that my "cloud distributed agile " colleagues take. Their whole approach (still today) is based on things "working" and never bother worrying about reconciliation or detecting errors. If something fails its always "well its ... fault for failing" rather than them not writing their application to handle that failure. Our shop still runs its main processes on mf transactions (CICS /IMS) and that stuff is bombproof. If we ever get issues, its almost always something getting lost in the front-end / middleware which dosent have any sort of proper monitoring / alerting in place :(
@@TheCieronph I completely agree. Things will go wrong, your network will drop, your system will lose its power unexpectedly, your storage will fail, your configuration files will be missing, and if the code's response to any of those is "let's just move on and pretend nothing happened", it just triggers a domino effect of cascading failures.
I work at a big tech and I can say your perspective is kind of wrong. We almost write 7 lines of rigorous test code for like one line of production code. That makes sure such resilience are at place. We work agile, and we release almost daily. The issue might be at the end of the day boils down to competence. Don't let incompetent people work on critical systems.
@@swagatochatterjee7104 this varies immensely from one company to another and one field to another. In my experience, the industry average is the exact opposite - one line of test code for every ten lines of deliverable code.
One such example of the flawed system is when a post-office suffered a thunderstorm nearby and the power went off. When the power was restored the Horizon system then told the Postmaster they had an extra £32,000 worth of stamps in their shop that had appeared out of thin air.
There is a public inquiry at the moment, and the chairman has been warning people - including the post office rank-and-file investigators - that they have the right not to answer when it may self-incriminate at a later criminal trial. So it's coming, but far more slowly than banana justice came to the victims.
So grateful that this has been explained in technical detail. Did anyone else get hung up watching the drama when the guy from Bridlington in the first episode notices the discrepancy in the EFTPOS terminal printouts ~ but then doesn't bring it up with the Auditor in episode two?
You got the “isolation” in ACID wrong. It doesn't mean different parts of the system are isolated from each other, it means concurrent transactions don't interfere with one another.
Some people in very high positions knew about the mistake that put inocents in jail. Life sentences for those psychopats would be a reasonable start to making them atone for it.
This is an example of why all software that touches public funding should be free, and, in the case of internal government systems, should be released to the public. Being able to audit Horizon would've given people a fair defense in court. (See the FSFE's "Public Money, Public Code" initiative.)
I agree, but this scandal is really more of an argument for *all* accounting software to be free, not just the software touched by public funding. This could happen to literally any private company as well.
That's a load of nonsense. If it had been a commercial bank instead of the post office, the impact would have been the same. Public or private has nothing to do with it. And yes, the company that I work for does a lot of work for government and parastatals, but that doesn't change the argument. There is a lot of hard work and engineering involved, that you don't want to share so that others can take your code and undercut you. If you want free source code, have a government-run software house and see how well that is going to work.
I disagree, but all software should be tested by an independent 3rd party to verify that they do what is intended and there should be guidelines on what should be tested and how. And every update must also be tested as well.
@@SeverityOne Taxpayers paid for it. Post Office is a government run company. Should be open source. A lot of other government source code is already, and it's written by private contractors too.
@@SeverityOneThe impact wouldn't have been the same because the Post Office have the legal power to bring prosecutions, and thankfully private business doesn't have that power.
The poor software is bad enough, but the malicious and knowingly false information given by Fijitsu and the Post Office shock the conscience, and the fact they did it to profit a business and were awarded benefits from the State (in the form of honours like a CBE) make it so abhorrent to be beyond the pale.
Thanks! The main camera is a Canon EOS RP, which is designed for still photos but is pretty good at filming 1080p video. It probably also helped that I set up some lights. I just wish I remembered to look at the camera at the beginning (I realised after a while)!
Agile approach can sometimes foster these situations because it discourages solving "future problems", and it happens more often than anyone will admit. Experienced engineers can mitigate such problems but they sometimes have to fight an uphill battle to do the right thing.
Trust me, there was nothing agile about Fujitsu or the Post Office. Neither could make a cup of tea without a gantt chart and a fully mitigated RAID log.
I share this concern. Agile gives more touch points between stakeholders and team, and if the stakeholders are pointy haired and persuasive, and the team isn't sufficiently grizzled and stubborn, then due diligence is easily pushed out.
The explanation of isolation wasn't exactly correct. It is more about concurrent transactions, and the need for serializability (i.e. order of operations doesn't change final outcome) regardlessly of whether they are on the same system or not.
ICL were a UK based company, worked on projects with Barclays. Millions? Yes, more than 700 of them for the pilot alone. Zero coding standards or consistency. Saying that, much of their background is in mainframe tech, it sounds like they didn’t understand the technology they were using, hardware down to software.
Some of them have already died. Or in fact committed suicide. We have to push our politicians to take responsibility and to prosecute the Post Office upper management who knew this early on, who suppressed a negative report, who told lies and who are fully and criminally culpable for this.
I see everyone in this comments section is commenting on the (shameful) scandal itself, but I wanted to take a moment to say that this is also a great video explainer! Clearly explained so that all the main issues are understandable to even the slowest of us... great job, both Professor Murdoch and Computerphile!
Seems like the people at the post office responsible for the cover should now be accountable for ruining people's lives. Some served substantial prison sentences for this. Also, thoughts and prayers for any of the devs with Horizon on their CV :😬
Good video, definitely want to see more stuff about databases, even if it is historic information i.e. development of ACID. Steven seems like a good presenter so look forward to more from him.
He could tell you that - but he’d be lying. Its absolutely ridiculous that several people spent time in jail because The Post Office Ltd cant employ competent subcontractors e.g Fujitsu.
Still not. It might not come out, and it might not need to. There are a million ways mistakes can happen if you don't prevent them. This video gave examples of ways that things COULD go wrong.
I don't understand how one point of evidence could lead to someone being convicted. So, the system says that I've made a fraudulent transaction, but shouldn't there be a greater burden of proof? I would hope that the courts would have to prove I have money that I shouldn't have, and if I don't, I would also hope they would take a further look into the system itself - especially when this happened so often to become a scandal.
This is exactly the first thing I thought of when hear of this. I would have though that there would need to be multiple pieces of corroborating evidence to make convictions. But somehow a single piece of software being the only evidence was enough to convict in these cases. It's just absurd to have such a high level of trust in unproven technologies. And even if Horizon was properly audited by a third party and rigorously tested and such, to convict with it being the only piece of evidence is still absurd. Makes me scared of other unproven software and technologies being used as evidence because, as an example, people are already getting arrested, and having their lives ruined, solely because of false-positives with facial recognition software. And that's a technology that will never get even remotely close to as accurate as someone might think accounting software, like Horizon, should be.
@@C2Talon I recently watched that new TV show about this incident "Mr Bates vs The Post Office" and if the show is to be taken at face value apparently the post office had their own prosecutors and took unprepared postmasters to under the desk legal proceedings to convict them.
Very nice summary of the architectural issues in play here. I am very keen to find analysis of the initial business case for Horizon -and to see how much 'fraud reduction' was part of the underlying assumption. I strongly suspect that the PO mother ship has long assumed fraud was rampant - and that Horizon was touted as the answer. I think this explains the belligerence and assumption of guilt by the PO. They werent just expecting lots of legal actions. It was a desired outcome.
Notice how the large directly operated branches (not the franchised village counters run by a couple of biddies) - the really large ones with many counters. They had the same issues with "being short" by tens of thousand as the innocent biddies. But, the Post Office never prosecuted anyone from their own branches. And the Post Office lied about there being no problems whatsoever. Funny that.
As a former bookkeeper this sounds like a technology failure compounded by a bookkeeping failure. All of these shortages should have been easily catchable with daily or even weekly checks.
@@squigglesmcjr199 not necessarily, with the banking transactions you just compare electronic money in to cash money out and if you're over $800 you first look at your failed transaction log, then you look at when all the $800 withdraws were approved by bank's system and make sure they were cashed out correctly on a register, if they were then see if any $400 transactions were double charged. Then you work your way through the more time consuming troubleshooting until you find out why things don't match.
I worked for a company where the accounting software had a variance of about $2.49 between the net assets and the total equity. They must have had a weakness at some point that allowed an unbalanced transaction. To get that fixed we would have had to give the file back to the software provider. We just lived with it as it wasn’t material.
Surely the first thing the Post Office has to do NOW is to reimburse all the postmasters or their descendents with the money they stole with appropriate interest payments. After all it is still the postmasters' personal money.
It was never about "HORIZON" It was about turning the post office private. The post office was trying to create a "brand" for itself (vs just being a public service), and to make it look like all of its branches were profitable and it did not need public funding, so it can be made available for privatization. HORIZON having bugs or reporting shortfalls meant that the "brand" was not viable, which made the privatization efforts harder.
Very relevant and useful explanation. Many of the details here I was not aware of and it's obviously all blown up again. So many hidden corners to this wider story that are continuing to be exposed.
It's very challenging with such a complex IT system and when hundreds of millions of transactions are not a problem and an occasional one apparently goes wrong, then it's hard to see the error and as an outlier then you can see why it's seen as an individuals error.
Go back to using paper and pen. However old fashioned, it's much safer - and more accurate, with no possibility of technological error - and this appalling scandal could not have happened. The idea of a machine "thinking" something has happened, when it hasn't, and not having the judgment to know the fifference, is obscene. Disgraceful. Those poor sub-postmasters.
I read an essay about this. It made me wince loudly. My God, when I think about AI and how we've convinced so many people that algorithms and other AI technologies are seemingly infallible, I get shivers. We may see similar cases in the future on that front.
Google has been known to comment, to large figures like Linus Sebastian (of LTT) that their algorithm for presenting content to users - along with things like demonetisation - long ago became so complex that nobody understands why it does what it does. Now that's just RUclips, effectively a mega-CDN with implications for a few hundred thousand creators, but what other systems have outgrown human understanding? And as you say (especially commenting 2 years on from your post) how long before this happens with AI? *Critical edit - I know I said the RUclips algorithm has limited consequences, but then, a few years ago it was proven beyond doubt that the platform algorithm had developed a tendency to radicalise users. If you clicked a Jordan Peterson video, for instance, it would start trialling you on content by Andrew Tate. If you clicked a news article about a Muslim committing a crime, it turned you on to far right white supremacy videos. This stuff is already having an impact on the fabric of our lives.
Very clear explanation, thanks. The fundamental principle here is that if there is inconsistency within, or between intercommunicating, computer systems then the systems are at fault and not the user. The user could be responsible for losing physical cash or stock, so that they are inconsistent with the computer systems. I wonder what technology they were using to enforce transaction integrity. If they were just relying on coding without a transaction or database framework with two-phase commit, it would have been easy for it to go wrong. The audit log itself should be accessed via an application. It sounds as though they might have been editing the data file directly, which is not safe at all.
I have been working as a software developer for almost 40 years and this is really Database checking 101. ALWAYS use db transactions/Journaling/Commitment Control, JEZUS These Guys Were/Are Amateurs!
The kinds of developers that understand consistency algorithms are likely not going to want to work for some weird sub-branch IT department of Fujitsu doing boring accounting. So then you get a bunch of junior devs who are wet behind their ears who are just there for a paycheck and CV building. Mere cogs in a wheel. Many such cases. So yes, complete amateurs, no worse, that is a slight to amateurs, incompetent fools.
Just started watching Mr Bates vs The Post Office; probably the scariest thing I've ever seen on TV. This whole scenario is really a software developers worst nightmare. Thanks for clearly explaining what the bug actually was.
thanks: since this scandal broke, I've been looking for an explanation of the Horizon system and what went wrong from a technical point of view. the worst thing about it is not that the technology failed, but the reaction of the human beings managing it; simply refusing to believe it could be wrong instead of properly investigating it. saying that, I think software engineers do need to take responsibility for the failings of the systems they design, and the wider community needs to learn lessons of such failures. I hope such lessons will come out of the inquiry, but I think - most likely - the biggest lesson will be that the system wasn't sufficiently tested
Will this be the same committee examining the closure by the post office of several thousand post office accounts used to pay the most vulnerable blind severely disabled children and adults who have been left destitute,starving, hospitalized as a result they have not seen any income since 2nd june 2022. Will the group compensation for this legally protected group who have had their lives threatened also come from the Fiijitsu compensation scheme? Will the collapse of the horizen system effect the payments of disability incomes through the post office branches since June 2022 ? under article 11 for human rights for those with disabilities the legislation under the European convention make immediate settlement to these sorely disabled bling adults from the monies allocated by Fujitsu ?
@@hoagy_ytfc I figured from the emoji you appended to your sentence. I'm sorry to be harsh, but some jokes can come across as condescending in the context of someone asking for help, particularly when they are not very clever.
I worked as a programmer for many years on commercial systems. Let me assure you- management will seldom admit fault in the code because the company's reputation and therefore their profits depend on the system working.
I followed this via Private Eye and as a computer science graduate I was always very suspicious of the guilt attributed to the people prosecuted. It just didn't make sense that people were brazenly robbing the Post Office of money in the manner that they were supposedly doing so. Also it should have been fairly straightforward to look at the personal accounts of the defendants and seen either more cash being deposited into their accounts or them spending less from their accounts due to more cash in hand. Of course the argument could have been made that they gave the money to others but this would be unlikely. One of the biggest problems was that the prosecution hid from the defence the fact that there were many other postmasters and sub-postmasters who were being prosecuted for the same issue, so the defence could not then see the commonality in it being the computer system that was at fault. Thank you for this video because it shows just how complex transactional systems and are how difficult they are to maintain in sync - it reminds me of the Two Generals' problem which was also excellently covered on Computerphile I think.
In 1999, Post Office Counters Ltd introduced a computer accounting system called Horizon, developed by ICL (which in 2002 rebranded under the name of its Japanese owner, Fujitsu). From 2001, the Post Office company (by then renamed Post Office Limited) was a subsidiary of Royal Mail Group.
Sorry, that's a bit confusing. I totalled the third column twice so you should look at the bottom row: 7 (sales) + 3 (branch stock) - 10 (central stock) = 0. The -10 central stock comes from -100 (initial transfer to branch) + 90 (return from branch) = -10.
If that were +10, it'd add up to +20 and your books would be off. When doing double-entry accounting, every - has to show up as a + somewhere else and vice versa.
@@rolfs2165 The point is that the left side (sales + current local stock) totals +10 and the right side (current central stock) totals -10, thus making the difference zero, which is the correct answer
If these mistakes were a random wouldn't they have been equal number of cases where the postmaster was in surplus? If so what did the post office do about that? If that was not the case it implies the existence of some corrective mechanism that was built to only work in One Direction.
The transactions to the other direction are most often "bulk" transfers (a big chunk of inventory comes in and it is sold out in thousand small transactions) so there is little chance of error and they are easily spotted and corrected.
I hate to say this, but in all likelihood the PM concerned would balance the books by taking cash from the till (if that were possible, which I imagine is the case). No way were the errors all one-way.
Keeping it running is understandable because a broken system might still work better than no system. But if you keep a broken system running then sending people to jail for it being broken is criminal!
Fujistu is another of those companies that do everything on the cheap (except directors’ bonuses, of course). They pay their software developers peanuts, which means they have a constant high turnover of staff and low staff morale. The software they produce is exactly what you would expect, given those circumstances. And the government keeps awarding them contracts because they are so cheap.
The House of Lords have put forward the proposal that the victims of this post office scandle which I might add the public are paying for. Medals pathetic as they are, is an insult to the intelligence of any individual with an ounce of intelligence. Useless medals will not put a slice of bread on their table. The insult of medals should be done away with. They are and always have been a complete waste of time, space and money.
Giving the victim a piece of glittering worthless metal in the form of a medal is an insult and a get out for the guilty. They are now trying to stop this post, but I will continue to tell the truth.
common sense should have told those in charge that, after years of no problems with post masters, and then after implementing a new computer system, there are hundreds of them being prosecuted in court - that a pause is required and a complete investigation is required by at least one independent body/company + independent auditing. It is obvious that system analysis, programming and testing was not done properly. A decent manager would have understood this, and acted upon it - and there in lies the problem There are far too many people in the wrong job bluffing their way through until things become too hot or go wrong - then it's off to the next well paid position.......
One of the worst things in life is being accused of something that you didn't do.
I can't imagine how horrible it must feel to go to jail over a software glitch...
It wasn't the software bugs which were the issue, it was the attitude of Fujitsu and Post office management who lied about it to the court. The post office have the ability to prosecute without an external body reviewing the evidence. This is a hangover from when it was a state monopoly.
Thing is, they knew about these glitches and deliberately lied about them in court to cover their own arses.
People are getting all worked up over autonomous car ethics when this kind of things are going on and have real consequences
Some people managed to avoid jail, though. I know one person jumped in front of a bus.
@@AndyFletcherX31 It was a coding fault
Our local sub-postmaster used to print out a duplicate receipt for every transaction even somebody wanting a stamp and keep a copy. Post Office once said he was short and had the duplicate paper receipts to prove he wasn't. It cost him a lot of money for the extra paper rolls and ink cartridges but he said it was worth it.
Cash register don't do that by default?
@@retepaskab This is a feature that some registers have.
Sounds like the easy fix here would be to have the stamps go through a printer and print the transaction details on the stamps. If it doesn't have that, it wasn't sold. If no one shows up with stamps that weren't sold, then all were paid for. If everyone knows the transaction details are to be printed, they won't accept stamps that were never sold.
Basically you make the inventory worthless and add value at the instant of sale in the form of an electronic paper trail behind it.
@@AS-we9xi why tho. Just keep a copy.
He could have taken a picture. That's what I'd have done.
I followed this case in Private Eye over the years, and it was clear from the start that the Post Office knew it was more than a coincidence that so many postmasters were coming up short, but it seemed that they just didn't want to lose face by admitting there was an error, so carried on prosecuting and prosecuting. Absolutely scandalous.
The real scandal are the solicitors and barristers who lied to the court.
Like Julian Assange
@@rcmrcm3370 That was clearly persecution. Not prosecution.
The Post Office scandal was the same. If the computer says you stole the money. You're guilty. That's all the "evidence" they needed. Lord Hoffman didn't even know about software. He said "computers can't make mistakes".
If you denied stealing the money. You're guilty.
It was a lose-lose situation for innocent people.
If this was in 1635 it would be expected. But this was all post 2000.
Why did the Post Office suddenly stop prosecuting around 2012???
You know I remember a Labour MP telling me at some social event how much he hated Private Eye because it was all unsubstantiated rumours and gossip... this scandal put that comment in context.
@@forthrightgambitia1032 It's not. That's why Private Eye invite people to sue for libel. That MP is frightened Private Eye will find out something.
It's like Order-Order. They expose corrupt MPs.
Can I ask. Was that Labour MP involved in the expenses scandal.
I’ve worked in IT for 40 years dealing with various banking, payroll and other finance systems. One of the big things I’ve learnt is that with any complex system that no matter how much you test any error should be assumed to be in the system and not fraud. Of course fraud happens but before you start prosecuting anyone you better be really certain that it is not a system issue.
I agree in general, however when the whole point of a system is to specially detect fraud, it would be easy to assume it was a success. Those who knew about the problem likely lied to those lower down the food chain who saw the occasional sub-post office issue out of the 11,000 branches.
To most in the PO, it was doing exactly as it was designed, catching fraud.
The real scandal is that the court automatically assumed that the digital data presented is correct and trustworthy.
That is the main topic of our times: Are our digital systems trustworthy enough to count as evidence in court?
Perhaps Computerphile should invite Ross Anderson again for some basic security engineering lessons. ;)
The real real scandal is the Post Office board KNEW and had had discussions about issues with Horizon, they KNEW these types of issues could arise and they explained the mysterious losses... yet they still prosecuted sub-postmasters for fraud and gave evidence in court KNOWING it was either false or at best misleading...
The software had bugs, that was part 1. Part 2 was the post office board lying about it in court when prosecuting sub-postmasters.
The court assumed the data was valid because the post office lawyers told them, and gave evidence saying there was no way the data was wrong... knowing it was.
Considering the scale of this miscarriage of justice the board members of the post office present at the time who knew they were being prosecuting sub-postmasters knowing the evidence was not 100% what they said it was should all face the repercussions.
"Are our digital systems trustworthy enough to count as evidence in court?"
Open source, peer-reviewed software should be a requirement for such "accept as fact"ness.
@@ConstantlyDamaged plenty of open source, peer reviewed software has bugs in it.
Some quite serious.
@@ConstantlyDamaged Peer review ensures that you program does what it is supposed to do. All States should run auditing programs to ensure the software we trust these days (e.g. TLS,SSL) works as intended.
But how do you proof that your final data is not tampered with? What we have learned from Microsoft is that signing does not work to ensure the data integrity, if the chain of trust is broken in one link. Analog evidence works because there is no other chain of events possible (or unlikely).
Think why electronic voting is a bad idea, now take the principles and apply it to data 'evidence'.
This is something that's concerning as there is a push to trust serious decisions to software "solutions" that promise magic, or their capabilities are misunderstood.
2 years ago this video came out and only now is it being heard.
This whole story warrants a lot more conversation in the software industry. Going forward it should be required reading alongside the Therac-25 scandal. It also demonstrates the issues with blindly trusting computer programs without any compassion for real people. The many stories of those who were prosecuted, fined, jailed, some of them dying before their verdicts were overturned, are heartbreaking.
The problems IMO lie far more on business practices and how those constantly override engineering standards.
@@forthrightgambitia1032 Indeed, the problems extended far beyond the software. I hope this case is also shown to aspiring lawyers and MBA types about the dangers of their work also. Nevertheless, other engineering disciplines (civil, mechanical, electrical) are seen to be held to a higher standard because of the immediate physical harm they can pose. As the use of software extends further into all aspects of our lives, those of use who write it need to understand how it is being written and confront the ethical challenges that may pose.
@@forthrightgambitia1032 We need guilds or some engineering association.
More and more I think being taught about Therac-25 and space shuttle bugs and the like is a bad idea, because it insulates you as a software engineer from these problems. The message is "if you write medical grade software or nasa-grade software you should be careful", when the real lesson is that you should *always* be careful. If you're writing accounting software, or knocking out some python to do some research, or cranking out boring enterprise internal reporting, you always always always need to care.
I graduated in 1999 and we already covered the perils of technical expert witnesses.
This was an absolute scandal and ruined people's lives. The power the post office had under an ancient law to privately interview the accused in police stations supposedly under caution and hide other cases from them was egregious and compounded the problem.
My heart goes out to the victims who have suffered from these baseless accusations. I recommend all SW engineers and system designers listen to the BBC and guardian podcasts on the subject to appreciate how important it is to get these things right and show true due diligence in their profession. Don't be afraid to call out issues you might see in any systems you work on.
Anthony (semi-retired SW engineer).
Our local supermarket is infamous for sending all their cashiers to jail… They claim that they all steal money… First they fine them for inconsistencies in data on their terminal, then if "theft" continues they call the police… They've sent maybe a dozen people to jail... Their system often doesn't work... Sometimes you need to retry paying with a bank card several times for the payment to go through... Sometimes the payment goes through, but the receipt printer hangs... Sometimes their system can't find the product ID when they scan the barcode... The cashiers are instructed to unplug their terminal from the mains, and plug it back...
I wonder if all those cashiers were indeed innocent...
It’s a disgraceful story. Distributed transaction processing with two-phase commit was sorted and implemented in the mid-1980s. If systems today are failing the ACID test it’s due to incompetence by the system designers.
Exactly and God only know what other system are built this way I belive it is intencional to of course get a Lil some something in thei pocket I belive these "flaws" are inbeded on purpose for the same reason it is truly a shame
ha ha, what pretentious fools you are
@@xxz4655 lols, people are lazy and take shortcuts, or want a system produced for the cheapest possible price and damn the consequences is how the world operates, and these things happen. Not some conspiracy to produce deliberately broken software.
Very true. Today's demand for a software developers is so hi that any people even with very basic skill (able to write some code and it compiles with no errors) are worthy and get employed. The average level of today's programmers is very low.
State monopoly company doing software by contractors. 99.99999999% that The code is disgusting
Closed source, poorly audited, faceless unaccountable/uncontactable software devs.
Execution by Software rather than Executable Software.
"unaccountable"
I think this goes for most software.
Imagine the satisfaction of being able to whip out a 'git blame' as evidence in a trial.
@@Yobleck "Eh no, John, go talk to our legal department, they'll tell you what to say in court."
Management, not software devs are the ones ultimately responsible for the behaviour of the software as they commissioned it, supervised it and signed it off. Most of these software devs were underpaid and forced to work to badly defined, illogical and half-arsed specs and expected to perform miracles against unrealistic deadlines set by smooth talking, ignorant and greedy management who wanted to make a quick buck.
@@forthrightgambitia1032 A programmer that knowingly writes bad code with no excuse beyond "my boss told me to" is still very much responsible for their actions.
As a mainframe guy of many decades and with a knowledge of CICS transaction system( Mostly banking and Airline booking systems) I find it incredible that this Horizon system seems to have little system integrity. When testing any new systems I would routinely turn off Modems, Servers and Terminals (and pull out cables) randomly in the Acceptance phase of the testing cycle. Only with 100% robustness would a system pass muster. But the greater crime in this sorry saga is that the Post Office pretended that this was an isolated incident for each sub-post office in trying to cover up this fatally flawed system, allowing pregnant women to go to jail rather than admit their error. And finally did the tax-payers ever get their money back from Horizon?
well said and so accurate.
Mainframe guy here too. I remember back in the '80s the bean counters got even more involved in IT and decided that mainframes were far too expensive and that a DEC/VAX Unix system replace it. They refused to listen to the many arguments against such a move - most of which revolved around data (and system) integrity, recoverability and ease of use. The single reason why I left the company.
There also seems to be design shortcomings as the users complained about not having access to historical account transactions information.
@@skf957There is only two things bean counters are interested in, and they are profit & their bonus.
Someone said the system used XML extensively but the XML schemas used were incompatible between one machine and the one it was talking to, causing the receiving machine to drop the data on occasions.
I once ordered at Burger King through these touch screens. Right at the point of paying, the system froze and did a reboot. No receipt printed, no order placed, but money withdrawn from my account... What a struggle that was to explain.. 🤦♂️ Bad code is out there, even at big companies..
I had the same issue with them. Paid with my mobile but their billing system never got the payment notification and never printed the ticket. I showed them my virtual receipt, they wrote the operation ID and fulfilled my order. The difference is BK doesn't have touch screens here.
That's because Burger King is trash. I went there a couple years ago; waited 20 minutes for a simple order which ended up giving me food poisoning. Thinking it was a problem with that BK location, I continued on with my life. Fast forward two months, I'm on the other side of the country (US) and I decide to have some BK because they can't all be bad right? Wrong! I get food poisoning again! The stuff they serve isn't even food, and the only requirement to work there is that you have a pulse. Other fast food restaurants are miles above BK and they're still not even that great
@@harleyspeedthrust4013 All fast food is utter trash and is far away from real food, doesnt stop me from eating it though.
@@harleyspeedthrust4013. Did you see the recent law case where an employee of a fast food shop successfully sued his employer for wrongful dismissal after he was sacked for not washing his hands? I think it was in Canada.
Had the exact same thing happen in McDonalds a few years ago. Tapped my debit card and the kiosk then blue-screened and rebooted. Saw it was running Windows 7 Embedded.
Any company or government entity in this situation would have immediately sued a multi billion dollar corporation like Fujitsu for screwing this up so royally. The fact that the Post Office hasn't even hinted at doing that, makes me think there were some major kickbacks to some post office people when the contract was rewarded to Fujitsu, and they want to avoid that being discovered. It would also explain the ridiculous lengths that the post office went to in order to blame the local post masters, when it was extremely obvious to anyone with one brain cell that the Fujitsu system was a flawed mess
I'd not considered that. Could be. I do struggle to understand why the post office has been so belligerent about this, particularly as it's not a private organisation where profit is the only goal.
Fujitsu told the post office repeatedly that the system had bugs, the post office actively ignored it
Got it in one! 💯
I’ve had a problem similar to this before, a meal payment transaction system would charge you without checking to see if the order had actually been successfully received. Bad code does show up often in the world.
I've had the opposite where one of the smartcard vending machines at work would top up your card but fail to signal to the server that it'd completed the topup. You could just keep putting the same £10 on your card as many times as you liked.
These kinds of bugs are remarkably easy to get. I had to fix a bug in a client's webshop that would sporadically get way more stock in thewebshop than they actually had. Turns out there was some sort of denial of service-ish thing where robots where trying to reserve as many items as they could. But ofcourse if you never actually purchase then the system will remove your shoppingcart and return the items to stock. Turns out that if people where reserving items while it was getting returned to stock the deleting of the cart would fail and a little later the same cart would be deleted again and presto; more stock than you started with.
That disappeared when I implemented transactions. And yes I notified the author of the shop and basically told him to go and learn how databases work.
Well, it should be remembered this was built in the dark days before unit testing and agile development were common, where complex systems got built from nothing then tested on bulk by clunky test scripts written by non-developer testers.
@@forthrightgambitia1032 That is, more often than not, still exactly how systems are built today. Agile is commonly just a word that's bandied around, writing tests often takes three times longer than writing the production code it's testing so immediately falls by the wayside when push comes to shove, and the vast majority of QAs are not developers.
@@davidf2281 sure. Though at any half decent tech company this is definitely not how it is done (I speak from experience.) CI running automated unit tests and code reviews that demand unit testing are pretty much standard in those contexts. The fact that many mediocre software houses still follow these prehistoric patterns is why companies like Infosys have eaten their lunch: why pay a premium for crappy cowboy efforts when you can pay bargin basement prices for the same thing.
Also if writing unit tests takes 3x longer you are doing it wrong. Well constructed classes and mocking mean it should take about 1.5x-2x the time, and actually less when you factor in bug fixing and patches that come from not testing it.
@@forthrightgambitia1032 I also speak from experience, and I agree with you in general. Trouble is, development is expensive and devs are often mediocre chancers, but the client usually can't tell and wants it done yesterday for the lowest cost possible. I don't think this will ever change.
@vinny142 The fix that you're describing is not for a distributed system. Imagine having a head office and a branch working with separate databases (because they don't always have a connection, remember it's early 2000s). You cannot simply do everything in one go, that's why you need consensus and recovery.
This is a wonderfully calm explanation of the technical failures behind an absolutely outrageous scandal.
I’m on episode 3 of the itv drama and needed a break because it (I) was getting a bit emotional, came to RUclips and this was the first video in my recommendations. This is a great explanation from the tech point of view! Now I just need to find the strength to finish the drama!
Same here mate, can't imagine how those poor people felt. They should be stripped of their right to procecute.
after that you might like to research the code written by Professor Neil Ferguson of Imperial college which predicted 500,000 Covid deaths & scared the government to death in March 2020. He wrote it himself apparently & it never came up with the same answer twice.
I think Toby Young is one fine actor but I couldn't watch the series because I knew it would make me angry having read so much about what happened to all those fine people. I hope they find some peace now they have been vindicated, may those who have passed because of how they were treated rest in peace.
I worked in IT in the 1990s, not for the PO or Fujitsu. It was an open secret in the industry that the system was an utter shambles. The BIG question is that
The Board of the PO rejected the distemper in September as having major issues that they could not implement it. However, 4 weeks... 4 WEEKS later they approved it and signed it off... WHY? I smell corruption and this may explain the 2013 cover-up.
Could you explain this please
@avtar1699 before any major system is accepted as delivered, the final interation is presented to those responsible for approving the acceptance, in this case the board of Post Office Ltd. In Septembet 1999 the final iteration was presented to the board who rejected it for not meeting 80% of the criteria required by the agreed specifications.
This was then escalated to the Cabinet for a decision. Gordon Brown recommended scrapping the system but diplomatic pressure was put on the government by the Japanese and Blair decided to tell the Board to re evaluate their decision thinking it could be fixed on the hoof..the problem was that with coding, like in construction, if your foundations and architecture are at fault, which they were with Horizon which should never have been released, then it doesn't matter what you do to fix it, those problems will always be there.
Blair should have scrapped it and re tendered the project.
@@HarryFlashmanVC This is why we need far more professionals in government. Politicians don't understand the risks, nor are they ever held responsible. Matt Groening's Schwarzenegger President 'I was elected to lead, not to read' was on the nose - uncomfortably so - and the consequences depicted in the movie were absolutely a parody of what actually happens. I have commented elsewhere, but the decisions that led to the compromising of the RBMK reactor design come to mind.
This was huge, people lost their livelihoods and were accused of theft and fraud and every case wrongly won by the post office against the sub postmasters was a gross miscarriage of justice.
There was a woman local to me who's even own family thought she was taking money and this is a perfect example of when you should know your users.
There was also some evidence of the post office and Fujitsu the supplier knowing that there were issues and remained silent while people went to jail and in one case ended their own life.
(Allegedly)
There is no allegedly about it. It has now been documented in court.
@Aidan Crane "...a gross miscarriage of justice." My understanding is that justice was carried out properly and thoroughly, no laws were warped or twisted. The problem lied with "justice" being ethically barren in those circumstances.
@@jasonc3a the problem lies with the justice system being vulnerable to sophisticated lying. Hence why perjury is such a serious crime. Unfortunately the figures involved here are the "right sort of people" not likely to suffer perjury charges.
@@jasonc3a Don't twist the meaning of justice; justice is always virtuous and right. The courts did not carry out justice because the laws and the processes are not always just.
How come that the justice system has no experts to examine the code of the program in such cases?
As a DBA, the gross incompetence -- from bottom to top, tools to management -- disgusts me.
I'm surprised this sort of thing doesn't happen more often. Once you replaced the mainframe guys who were very, very careful about ACID compliance with a bunch of Java guys in the 90s and 00s who had never heard of ACID correctness and then tried to get it to work across multiple, disparate systems with no global transaction rollback was sure to break somewhere.
Couldn't agree more, as someone who has been trained by mainframe oldies. i still find it almost laughable at the approaches that my "cloud distributed agile " colleagues take. Their whole approach (still today) is based on things "working" and never bother worrying about reconciliation or detecting errors. If something fails its always "well its ... fault for failing" rather than them not writing their application to handle that failure.
Our shop still runs its main processes on mf transactions (CICS /IMS) and that stuff is bombproof. If we ever get issues, its almost always something getting lost in the front-end / middleware which dosent have any sort of proper monitoring / alerting in place :(
@@TheCieronph I completely agree.
Things will go wrong, your network will drop, your system will lose its power unexpectedly, your storage will fail, your configuration files will be missing, and if the code's response to any of those is "let's just move on and pretend nothing happened", it just triggers a domino effect of cascading failures.
I blame MySQL.
I work at a big tech and I can say your perspective is kind of wrong. We almost write 7 lines of rigorous test code for like one line of production code. That makes sure such resilience are at place. We work agile, and we release almost daily. The issue might be at the end of the day boils down to competence. Don't let incompetent people work on critical systems.
@@swagatochatterjee7104 this varies immensely from one company to another and one field to another. In my experience, the industry average is the exact opposite - one line of test code for every ten lines of deliverable code.
One such example of the flawed system is when a post-office suffered a thunderstorm nearby and the power went off. When the power was restored the Horizon system then told the Postmaster they had an extra £32,000 worth of stamps in their shop that had appeared out of thin air.
Just madness
The behaviour of the Post Office was atrocious. Has anyone been held accountable?
What about fujitsu?
There is a public inquiry at the moment, and the chairman has been warning people - including the post office rank-and-file investigators - that they have the right not to answer when it may self-incriminate at a later criminal trial. So it's coming, but far more slowly than banana justice came to the victims.
I am pleasantly surprised by how many times I enjoy watching videos of the British postal system. Thanks to Tom Scott for introducing me.
So grateful that this has been explained in technical detail.
Did anyone else get hung up watching the drama when the guy from Bridlington in the first episode notices the discrepancy in the EFTPOS terminal printouts ~ but then doesn't bring it up with the Auditor in episode two?
You got the “isolation” in ACID wrong. It doesn't mean different parts of the system are isolated from each other, it means concurrent transactions don't interfere with one another.
Some people in very high positions knew about the mistake that put inocents in jail.
Life sentences for those psychopats would be a reasonable start to making them atone for it.
I don't even count these as bugs. This is a case study in terrible architecture.
Terrible architecture that leads to errors is considered a bug by many experts.
This is an example of why all software that touches public funding should be free, and, in the case of internal government systems, should be released to the public. Being able to audit Horizon would've given people a fair defense in court.
(See the FSFE's "Public Money, Public Code" initiative.)
I agree, but this scandal is really more of an argument for *all* accounting software to be free, not just the software touched by public funding. This could happen to literally any private company as well.
That's a load of nonsense. If it had been a commercial bank instead of the post office, the impact would have been the same. Public or private has nothing to do with it. And yes, the company that I work for does a lot of work for government and parastatals, but that doesn't change the argument. There is a lot of hard work and engineering involved, that you don't want to share so that others can take your code and undercut you. If you want free source code, have a government-run software house and see how well that is going to work.
I disagree, but all software should be tested by an independent 3rd party to verify that they do what is intended and there should be guidelines on what should be tested and how. And every update must also be tested as well.
@@SeverityOne Taxpayers paid for it. Post Office is a government run company. Should be open source. A lot of other government source code is already, and it's written by private contractors too.
@@SeverityOneThe impact wouldn't have been the same because the Post Office have the legal power to bring prosecutions, and thankfully private business doesn't have that power.
Having just watched the documentary on ITV I was curious as to what could cause this. Fantastic explanation, many thanks.
The poor software is bad enough, but the malicious and knowingly false information given by Fijitsu and the Post Office shock the conscience, and the fact they did it to profit a business and were awarded benefits from the State (in the form of honours like a CBE) make it so abhorrent to be beyond the pale.
Nobody mentioning the video quality of Steven Murdoch? Looks so good!
Yes the professor had some excellent filming kit :) -Sean
Thanks! The main camera is a Canon EOS RP, which is designed for still photos but is pretty good at filming 1080p video. It probably also helped that I set up some lights. I just wish I remembered to look at the camera at the beginning (I realised after a while)!
@@Computerphile. The RUclips algorithm sent me to this video, 2 years later. Very informative considering the scandal is still ongoing.
On the contrary! The sketches were hidden by the man’s hand all the time. ✍️. The camera was in the wrong place!
Agile approach can sometimes foster these situations because it discourages solving "future problems", and it happens more often than anyone will admit. Experienced engineers can mitigate such problems but they sometimes have to fight an uphill battle to do the right thing.
Trust me, there was nothing agile about Fujitsu or the Post Office. Neither could make a cup of tea without a gantt chart and a fully mitigated RAID log.
I share this concern. Agile gives more touch points between stakeholders and team, and if the stakeholders are pointy haired and persuasive, and the team isn't sufficiently grizzled and stubborn, then due diligence is easily pushed out.
Great guest. These concepts were very clearly explained in simple, brief language. Well done.
A perfect example of how we can all expect to be treated as "infallible" machines and algorithms control more and more of our lives.
they hung out loads of postmasters out to dry over this
One died before their name was cleared
Yes they were exceptionally badly treated . The effects on those people's lives were immense.
The explanation of isolation wasn't exactly correct. It is more about concurrent transactions, and the need for serializability (i.e. order of operations doesn't change final outcome) regardlessly of whether they are on the same system or not.
Let me guess: This system cost hundreds of thousands or maybe millions of pounds to be developed?
If only. Horizon cost one billion 1995 pounds (1.97B today)
@@SaffronMilkChap Holy crap
just like "reinventing" charlie-19 tracing apps in every damn country, millions
Pork pork pork!
And code from India?
ICL were a UK based company, worked on projects with Barclays. Millions? Yes, more than 700 of them for the pilot alone. Zero coding standards or consistency. Saying that, much of their background is in mainframe tech, it sounds like they didn’t understand the technology they were using, hardware down to software.
One of the most shocking scandals I have heard of. I hope those wrongly accused get the justice they deserve.
Some of them have already died. Or in fact committed suicide.
We have to push our politicians to take responsibility and to prosecute the Post Office upper management who knew this early on, who suppressed a negative report, who told lies and who are fully and criminally culpable for this.
I see everyone in this comments section is commenting on the (shameful) scandal itself, but I wanted to take a moment to say that this is also a great video explainer! Clearly explained so that all the main issues are understandable to even the slowest of us... great job, both Professor Murdoch and Computerphile!
Seems like the people at the post office responsible for the cover should now be accountable for ruining people's lives. Some served substantial prison sentences for this. Also, thoughts and prayers for any of the devs with Horizon on their CV :😬
Came back to this video after watching ITV's Mr Bates vs The Post Office
Good video, definitely want to see more stuff about databases, even if it is historic information i.e. development of ACID. Steven seems like a good presenter so look forward to more from him.
Please tell me a massive scandal isn't going to be the exact same problem used to introduce concurrency problems to freshman CS students.
He could tell you that - but he’d be lying. Its absolutely ridiculous that several people spent time in jail because The Post Office Ltd cant employ competent subcontractors e.g Fujitsu.
Are there any more videos that explain what was technically going wrong with the horizon system?
Still not. It might not come out, and it might not need to. There are a million ways mistakes can happen if you don't prevent them. This video gave examples of ways that things COULD go wrong.
Computerphile is so great. Bringing light to these kind of things.
Well it was Computer Weekly, then Private Eye that exposed this really.
I don't understand how one point of evidence could lead to someone being convicted. So, the system says that I've made a fraudulent transaction, but shouldn't there be a greater burden of proof? I would hope that the courts would have to prove I have money that I shouldn't have, and if I don't, I would also hope they would take a further look into the system itself - especially when this happened so often to become a scandal.
This is exactly the first thing I thought of when hear of this. I would have though that there would need to be multiple pieces of corroborating evidence to make convictions. But somehow a single piece of software being the only evidence was enough to convict in these cases. It's just absurd to have such a high level of trust in unproven technologies. And even if Horizon was properly audited by a third party and rigorously tested and such, to convict with it being the only piece of evidence is still absurd.
Makes me scared of other unproven software and technologies being used as evidence because, as an example, people are already getting arrested, and having their lives ruined, solely because of false-positives with facial recognition software. And that's a technology that will never get even remotely close to as accurate as someone might think accounting software, like Horizon, should be.
@@C2Talon I recently watched that new TV show about this incident "Mr Bates vs The Post Office" and if the show is to be taken at face value apparently the post office had their own prosecutors and took unprepared postmasters to under the desk legal proceedings to convict them.
Very nice summary of the architectural issues in play here. I am very keen to find analysis of the initial business case for Horizon -and to see how much 'fraud reduction' was part of the underlying assumption. I strongly suspect that the PO mother ship has long assumed fraud was rampant - and that Horizon was touted as the answer. I think this explains the belligerence and assumption of guilt by the PO. They werent just expecting lots of legal actions. It was a desired outcome.
"Computers don't make mistakes". True, but programmers do.
Notice how the large directly operated branches (not the franchised village counters run by a couple of biddies) - the really large ones with many counters.
They had the same issues with "being short" by tens of thousand as the innocent biddies. But, the Post Office never prosecuted anyone from their own branches. And the Post Office lied about there being no problems whatsoever.
Funny that.
As a former bookkeeper this sounds like a technology failure compounded by a bookkeeping failure. All of these shortages should have been easily catchable with daily or even weekly checks.
Blockchain????
@@squigglesmcjr199 not necessarily, with the banking transactions you just compare electronic money in to cash money out and if you're over $800 you first look at your failed transaction log, then you look at when all the $800 withdraws were approved by bank's system and make sure they were cashed out correctly on a register, if they were then see if any $400 transactions were double charged. Then you work your way through the more time consuming troubleshooting until you find out why things don't match.
I worked for a company where the accounting software had a variance of about $2.49 between the net assets and the total equity. They must have had a weakness at some point that allowed an unbalanced transaction.
To get that fixed we would have had to give the file back to the software provider. We just lived with it as it wasn’t material.
Surely the first thing the Post Office has to do NOW is to reimburse all the postmasters or their descendents with the money they stole with appropriate interest payments. After all it is still the postmasters' personal money.
It was never about "HORIZON"
It was about turning the post office private.
The post office was trying to create a "brand" for itself (vs just being a public service), and to make it look like all of its branches were profitable and it did not need public funding, so it can be made available for privatization. HORIZON having bugs or reporting shortfalls meant that the "brand" was not viable, which made the privatization efforts harder.
Very relevant and useful explanation. Many of the details here I was not aware of and it's obviously all blown up again. So many hidden corners to this wider story that are continuing to be exposed.
It's very challenging with such a complex IT system and when hundreds of millions of transactions are not a problem and an occasional one apparently goes wrong, then it's hard to see the error and as an outlier then you can see why it's seen as an individuals error.
Famous IT-saying: "Avoid duplication of volatile information".
The viewing figures for this video must have spiked this week!
thanks for this, this is exactly what i wanted to learn about - what bugs causes what issues. poor people who went to jail and lost their jobs
Unbelievable. A second year CS student would know how to consider these problems.
Go back to using paper and pen. However old fashioned, it's much safer - and more accurate, with no possibility of technological error - and this appalling scandal could not have happened. The idea of a machine "thinking" something has happened, when it hasn't, and not having the judgment to know the fifference, is obscene. Disgraceful. Those poor sub-postmasters.
I read an essay about this. It made me wince loudly. My God, when I think about AI and how we've convinced so many people that algorithms and other AI technologies are seemingly infallible, I get shivers. We may see similar cases in the future on that front.
Google has been known to comment, to large figures like Linus Sebastian (of LTT) that their algorithm for presenting content to users - along with things like demonetisation - long ago became so complex that nobody understands why it does what it does. Now that's just RUclips, effectively a mega-CDN with implications for a few hundred thousand creators, but what other systems have outgrown human understanding? And as you say (especially commenting 2 years on from your post) how long before this happens with AI?
*Critical edit - I know I said the RUclips algorithm has limited consequences, but then, a few years ago it was proven beyond doubt that the platform algorithm had developed a tendency to radicalise users. If you clicked a Jordan Peterson video, for instance, it would start trialling you on content by Andrew Tate. If you clicked a news article about a Muslim committing a crime, it turned you on to far right white supremacy videos. This stuff is already having an impact on the fabric of our lives.
Utterly illuminating. Thank you so much for this.
Managers knew the system was rotten and yet they continued to prosecute . Despicable beyond words . They NEED to go to jail .
Very clear explanation, thanks. The fundamental principle here is that if there is inconsistency within, or between intercommunicating, computer systems then the systems are at fault and not the user. The user could be responsible for losing physical cash or stock, so that they are inconsistent with the computer systems. I wonder what technology they were using to enforce transaction integrity. If they were just relying on coding without a transaction or database framework with two-phase commit, it would have been easy for it to go wrong. The audit log itself should be accessed via an application. It sounds as though they might have been editing the data file directly, which is not safe at all.
Prof Stephen might be the best dressed and we’ll framed guests on computerphile.
Main takeaway: 11:41 "Distributed system makes everything harder."
It's so sad that only now it is getting the push it needed a LOT of time ago
Lesson learned: If there is a way to do something wrong, government will do it the wrong way almost every time
I have been working as a software developer for almost 40 years and this is really Database checking 101. ALWAYS use db transactions/Journaling/Commitment Control,
JEZUS These Guys Were/Are Amateurs!
It's a technical atrocity, compounded by criminal conspiracy to hide evidence.
The kinds of developers that understand consistency algorithms are likely not going to want to work for some weird sub-branch IT department of Fujitsu doing boring accounting. So then you get a bunch of junior devs who are wet behind their ears who are just there for a paycheck and CV building. Mere cogs in a wheel. Many such cases. So yes, complete amateurs, no worse, that is a slight to amateurs, incompetent fools.
Super relevant here in the UK right now. Thanks for the video. An update would be good I think.
Just started watching Mr Bates vs The Post Office; probably the scariest thing I've ever seen on TV. This whole scenario is really a software developers worst nightmare. Thanks for clearly explaining what the bug actually was.
Being from across the pond, I never actually heard of this. It’s somehow comforting to know that we will always have government ineptitude in common.
thanks: since this scandal broke, I've been looking for an explanation of the Horizon system and what went wrong from a technical point of view. the worst thing about it is not that the technology failed, but the reaction of the human beings managing it; simply refusing to believe it could be wrong instead of properly investigating it. saying that, I think software engineers do need to take responsibility for the failings of the systems they design, and the wider community needs to learn lessons of such failures. I hope such lessons will come out of the inquiry, but I think - most likely - the biggest lesson will be that the system wasn't sufficiently tested
As a SWE I have to say we need more regulations in SWE field. Until we treat software like a nuclear reactor, we are going somewhere very very wrong!
Will this be the same committee examining the closure by the post office of several thousand post office accounts used to pay the most vulnerable blind severely disabled children and adults who have been left destitute,starving, hospitalized as a result they have not seen any income since 2nd june 2022. Will the group compensation for this legally protected group who have had their lives threatened also come from the Fiijitsu compensation scheme?
Will the collapse of the horizen system effect the payments of disability incomes through the post office branches since June 2022 ? under article 11 for human rights for those with disabilities the legislation under the European convention make immediate settlement to these sorely disabled bling adults from the monies allocated by Fujitsu ?
Could you please enable Auto-Generated English Closed-Captions? Even if it’s not perfect it’s really useful for non-native English speakers. Thanks
Neither of them are English 😉
@@hoagy_ytfc No, but they speak English, and are native English speakers.
@@TheDeadSource I know, I was jesting a bit
@@hoagy_ytfc I figured from the emoji you appended to your sentence. I'm sorry to be harsh, but some jokes can come across as condescending in the context of someone asking for help, particularly when they are not very clever.
@@TheDeadSource Oh ok, thanks for the lesson
The black background makes it look like the speaker is explaining the British post office in the void of intergalactic space
I worked as a programmer for many years on commercial systems. Let me assure you- management will seldom admit fault in the code because the company's reputation and therefore their profits depend on the system working.
Correction 'The Post Office/FUJITSU' scandal. Fujitsu should not be getting away with it
"What's PostgreSQL? Best practices? It's like you're talking another language!"
Its a database management system, like Oracle
Actually, it was Oracle they were using.
To err is human, but to really foul things up requires a computer. How true those words are.
I followed this via Private Eye and as a computer science graduate I was always very suspicious of the guilt attributed to the people prosecuted.
It just didn't make sense that people were brazenly robbing the Post Office of money in the manner that they were supposedly doing so.
Also it should have been fairly straightforward to look at the personal accounts of the defendants and seen either more cash being deposited into their accounts or them spending less from their accounts due to more cash in hand.
Of course the argument could have been made that they gave the money to others but this would be unlikely.
One of the biggest problems was that the prosecution hid from the defence the fact that there were many other postmasters and sub-postmasters who were being prosecuted for the same issue, so the defence could not then see the commonality in it being the computer system that was at fault.
Thank you for this video because it shows just how complex transactional systems and are how difficult they are to maintain in sync - it reminds me of the Two Generals' problem which was also excellently covered on Computerphile I think.
In 1999, Post Office Counters Ltd introduced a computer accounting system called Horizon, developed by ICL (which in 2002 rebranded under the name of its Japanese owner, Fujitsu). From 2001, the Post Office company (by then renamed Post Office Limited) was a subsidiary of Royal Mail Group.
04:23 shouldn't that second -10 be +10 in order for the 2 sides to balance ?
Sorry, that's a bit confusing. I totalled the third column twice so you should look at the bottom row: 7 (sales) + 3 (branch stock) - 10 (central stock) = 0. The -10 central stock comes from -100 (initial transfer to branch) + 90 (return from branch) = -10.
If that were +10, it'd add up to +20 and your books would be off. When doing double-entry accounting, every - has to show up as a + somewhere else and vice versa.
@@rolfs2165 The point is that the left side (sales + current local stock) totals +10 and the right side (current central stock) totals -10, thus making the difference zero, which is the correct answer
There was also a legal assumption built in to legislation that computers did not error.
So did real money go missing? My bank balance is a complex number: there is a real part and an imaginary part.
lol
Does anyone know what happened to the Horizon system? Is it still in use (presumably patched) or has it been replaced?
It's still used as of 2024
We've all heard about money missing, debt. What we've not heard about are surpluses which would occur if the sw errors were random.
If these mistakes were a random wouldn't they have been equal number of cases where the postmaster was in surplus? If so what did the post office do about that? If that was not the case it implies the existence of some corrective mechanism that was built to only work in One Direction.
The transactions to the other direction are most often "bulk" transfers (a big chunk of inventory comes in and it is sold out in thousand small transactions) so there is little chance of error and they are easily spotted and corrected.
I hate to say this, but in all likelihood the PM concerned would balance the books by taking cash from the till (if that were possible, which I imagine is the case). No way were the errors all one-way.
731 Absolutely shocking, disgraceful, the arrogance and hubris of the management. Someone needs to go to prison.
Keeping this system running this long was criminal!
Keeping it running is understandable because a broken system might still work better than no system. But if you keep a broken system running then sending people to jail for it being broken is criminal!
It needs to be investigated if Post Office executives and staff took bribes from Fujitsu.
Where you getting this info from?
Fujistu is another of those companies that do everything on the cheap (except directors’ bonuses, of course).
They pay their software developers peanuts, which means they have a constant high turnover of staff and low staff morale. The software they produce is exactly what you would expect, given those circumstances.
And the government keeps awarding them contracts because they are so cheap.
I learned these things in my third semester of computer science! How can such a large corporation make such awful software?
Greed. From the client and the consultancy.
Fujitsu was - and still is - a dinosaur. It's compartmentalised, stuck in the past and completely divorced from reality.
@@darknewt9959 In the UK they are still basically ICL beneath the new lick of paint.
Microsoft still produce garbage software. OneNote on Android is basically unusable. Nobody seems to care.
The House of Lords have put forward the proposal that the victims of this post office scandle which I might add the public are paying for. Medals pathetic as they are, is an insult to the intelligence of any individual with an ounce of intelligence. Useless medals will not put a slice of bread on their table. The insult of medals should be done away with. They are and always have been a complete waste of time, space and money.
Giving the victim a piece of glittering worthless metal in the form of a medal is an insult and a get out for the guilty.
Giving the victim a piece of glittering worthless metal in the form of a medal is an insult and a get out for the guilty. They are now trying to stop this post, but I will continue to tell the truth.
thank you so much for this great video
common sense should have told those in charge that, after years of no problems with post masters, and then after implementing a new computer system, there are hundreds of them being prosecuted in court - that a pause is required and a complete investigation is required by at least one independent body/company + independent auditing. It is obvious that system analysis, programming and testing was not done properly. A decent manager would have understood this, and acted upon it - and there in lies the problem There are far too many people in the wrong job bluffing their way through until things become too hot or go wrong - then it's off to the next well paid position.......
So this is what happens when you accidentally program an accounting database to act out the plot from Superman III or Office Space.