Post Office Horizon Scandal - Computerphile
HTML-код
- Опубликовано: 3 июн 2024
- Computer bugs were found to be the reason many sub-postmasters and sub-postmistresses were wrongly convicted of stealing and false accounting. Professor Steven Murdoch, a professor of Security Engineering and a Royal Society University Research Fellow at UCL explains the sorts of faults that were found.
EXTRA BITS: • EXTRA BITS - More on T...
Professor Murdoch's blog post about this: bit.ly/C_PostOfficeBlog
BBC Podcast about the Post Office Scandal: www.bbc.co.uk/sounds/series/m...
/ computerphile
/ computer_phile
This video was filmed and edited by Sean Riley.
Computer Science at the University of Nottingham: bit.ly/nottscomputer
Computerphile is a sister project to Brady Haran's Numberphile. More at www.bradyharan.com
Our local sub-postmaster used to print out a duplicate receipt for every transaction even somebody wanting a stamp and keep a copy. Post Office once said he was short and had the duplicate paper receipts to prove he wasn't. It cost him a lot of money for the extra paper rolls and ink cartridges but he said it was worth it.
Cash register don't do that by default?
@@retepaskab This is a feature that some registers have.
Sounds like the easy fix here would be to have the stamps go through a printer and print the transaction details on the stamps. If it doesn't have that, it wasn't sold. If no one shows up with stamps that weren't sold, then all were paid for. If everyone knows the transaction details are to be printed, they won't accept stamps that were never sold.
Basically you make the inventory worthless and add value at the instant of sale in the form of an electronic paper trail behind it.
@@AS-we9xi why tho. Just keep a copy.
He could have taken a picture. That's what I'd have done.
I followed this case in Private Eye over the years, and it was clear from the start that the Post Office knew it was more than a coincidence that so many postmasters were coming up short, but it seemed that they just didn't want to lose face by admitting there was an error, so carried on prosecuting and prosecuting. Absolutely scandalous.
The real scandal are the solicitors and barristers who lied to the court.
Like Julian Assange
@@rcmrcm3370 That was clearly persecution. Not prosecution.
The Post Office scandal was the same. If the computer says you stole the money. You're guilty. That's all the "evidence" they needed. Lord Hoffman didn't even know about software. He said "computers can't make mistakes".
If you denied stealing the money. You're guilty.
It was a lose-lose situation for innocent people.
If this was in 1635 it would be expected. But this was all post 2000.
Why did the Post Office suddenly stop prosecuting around 2012???
You know I remember a Labour MP telling me at some social event how much he hated Private Eye because it was all unsubstantiated rumours and gossip... this scandal put that comment in context.
@@forthrightgambitia1032 It's not. That's why Private Eye invite people to sue for libel. That MP is frightened Private Eye will find out something.
It's like Order-Order. They expose corrupt MPs.
Can I ask. Was that Labour MP involved in the expenses scandal.
One of the worst things in life is being accused of something that you didn't do.
I can't imagine how horrible it must feel to go to jail over a software glitch...
It wasn't the software bugs which were the issue, it was the attitude of Fujitsu and Post office management who lied about it to the court. The post office have the ability to prosecute without an external body reviewing the evidence. This is a hangover from when it was a state monopoly.
Thing is, they knew about these glitches and deliberately lied about them in court to cover their own arses.
People are getting all worked up over autonomous car ethics when this kind of things are going on and have real consequences
Some people managed to avoid jail, though. I know one person jumped in front of a bus.
@@AndyFletcherX31 It was a coding fault
2 years ago this video came out and only now is it being heard.
Our local supermarket is infamous for sending all their cashiers to jail… They claim that they all steal money… First they fine them for inconsistencies in data on their terminal, then if "theft" continues they call the police… They've sent maybe a dozen people to jail... Their system often doesn't work... Sometimes you need to retry paying with a bank card several times for the payment to go through... Sometimes the payment goes through, but the receipt printer hangs... Sometimes their system can't find the product ID when they scan the barcode... The cashiers are instructed to unplug their terminal from the mains, and plug it back...
I wonder if all those cashiers were indeed innocent...
I’ve worked in IT for 40 years dealing with various banking, payroll and other finance systems. One of the big things I’ve learnt is that with any complex system that no matter how much you test any error should be assumed to be in the system and not fraud. Of course fraud happens but before you start prosecuting anyone you better be really certain that it is not a system issue.
I agree in general, however when the whole point of a system is to specially detect fraud, it would be easy to assume it was a success. Those who knew about the problem likely lied to those lower down the food chain who saw the occasional sub-post office issue out of the 11,000 branches.
To most in the PO, it was doing exactly as it was designed, catching fraud.
The real scandal is that the court automatically assumed that the digital data presented is correct and trustworthy.
That is the main topic of our times: Are our digital systems trustworthy enough to count as evidence in court?
Perhaps Computerphile should invite Ross Anderson again for some basic security engineering lessons. ;)
The real real scandal is the Post Office board KNEW and had had discussions about issues with Horizon, they KNEW these types of issues could arise and they explained the mysterious losses... yet they still prosecuted sub-postmasters for fraud and gave evidence in court KNOWING it was either false or at best misleading...
The software had bugs, that was part 1. Part 2 was the post office board lying about it in court when prosecuting sub-postmasters.
The court assumed the data was valid because the post office lawyers told them, and gave evidence saying there was no way the data was wrong... knowing it was.
Considering the scale of this miscarriage of justice the board members of the post office present at the time who knew they were being prosecuting sub-postmasters knowing the evidence was not 100% what they said it was should all face the repercussions.
"Are our digital systems trustworthy enough to count as evidence in court?"
Open source, peer-reviewed software should be a requirement for such "accept as fact"ness.
@@ConstantlyDamaged plenty of open source, peer reviewed software has bugs in it.
Some quite serious.
@@ConstantlyDamaged Peer review ensures that you program does what it is supposed to do. All States should run auditing programs to ensure the software we trust these days (e.g. TLS,SSL) works as intended.
But how do you proof that your final data is not tampered with? What we have learned from Microsoft is that signing does not work to ensure the data integrity, if the chain of trust is broken in one link. Analog evidence works because there is no other chain of events possible (or unlikely).
Think why electronic voting is a bad idea, now take the principles and apply it to data 'evidence'.
This is something that's concerning as there is a push to trust serious decisions to software "solutions" that promise magic, or their capabilities are misunderstood.
It’s a disgraceful story. Distributed transaction processing with two-phase commit was sorted and implemented in the mid-1980s. If systems today are failing the ACID test it’s due to incompetence by the system designers.
Exactly and God only know what other system are built this way I belive it is intencional to of course get a Lil some something in thei pocket I belive these "flaws" are inbeded on purpose for the same reason it is truly a shame
ha ha, what pretentious fools you are
@@xxz4655 lols, people are lazy and take shortcuts, or want a system produced for the cheapest possible price and damn the consequences is how the world operates, and these things happen. Not some conspiracy to produce deliberately broken software.
Very true. Today's demand for a software developers is so hi that any people even with very basic skill (able to write some code and it compiles with no errors) are worthy and get employed. The average level of today's programmers is very low.
State monopoly company doing software by contractors. 99.99999999% that The code is disgusting
This was an absolute scandal and ruined people's lives. The power the post office had under an ancient law to privately interview the accused in police stations supposedly under caution and hide other cases from them was egregious and compounded the problem.
My heart goes out to the victims who have suffered from these baseless accusations. I recommend all SW engineers and system designers listen to the BBC and guardian podcasts on the subject to appreciate how important it is to get these things right and show true due diligence in their profession. Don't be afraid to call out issues you might see in any systems you work on.
Anthony (semi-retired SW engineer).
I once ordered at Burger King through these touch screens. Right at the point of paying, the system froze and did a reboot. No receipt printed, no order placed, but money withdrawn from my account... What a struggle that was to explain.. 🤦♂️ Bad code is out there, even at big companies..
I had the same issue with them. Paid with my mobile but their billing system never got the payment notification and never printed the ticket. I showed them my virtual receipt, they wrote the operation ID and fulfilled my order. The difference is BK doesn't have touch screens here.
That's because Burger King is trash. I went there a couple years ago; waited 20 minutes for a simple order which ended up giving me food poisoning. Thinking it was a problem with that BK location, I continued on with my life. Fast forward two months, I'm on the other side of the country (US) and I decide to have some BK because they can't all be bad right? Wrong! I get food poisoning again! The stuff they serve isn't even food, and the only requirement to work there is that you have a pulse. Other fast food restaurants are miles above BK and they're still not even that great
@@harleyspeedthrust4013 All fast food is utter trash and is far away from real food, doesnt stop me from eating it though.
@@harleyspeedthrust4013. Did you see the recent law case where an employee of a fast food shop successfully sued his employer for wrongful dismissal after he was sacked for not washing his hands? I think it was in Canada.
Had the exact same thing happen in McDonalds a few years ago. Tapped my debit card and the kiosk then blue-screened and rebooted. Saw it was running Windows 7 Embedded.
This whole story warrants a lot more conversation in the software industry. Going forward it should be required reading alongside the Therac-25 scandal. It also demonstrates the issues with blindly trusting computer programs without any compassion for real people. The many stories of those who were prosecuted, fined, jailed, some of them dying before their verdicts were overturned, are heartbreaking.
The problems IMO lie far more on business practices and how those constantly override engineering standards.
@@forthrightgambitia1032 Indeed, the problems extended far beyond the software. I hope this case is also shown to aspiring lawyers and MBA types about the dangers of their work also. Nevertheless, other engineering disciplines (civil, mechanical, electrical) are seen to be held to a higher standard because of the immediate physical harm they can pose. As the use of software extends further into all aspects of our lives, those of use who write it need to understand how it is being written and confront the ethical challenges that may pose.
@@forthrightgambitia1032 We need guilds or some engineering association.
More and more I think being taught about Therac-25 and space shuttle bugs and the like is a bad idea, because it insulates you as a software engineer from these problems. The message is "if you write medical grade software or nasa-grade software you should be careful", when the real lesson is that you should *always* be careful. If you're writing accounting software, or knocking out some python to do some research, or cranking out boring enterprise internal reporting, you always always always need to care.
I graduated in 1999 and we already covered the perils of technical expert witnesses.
Closed source, poorly audited, faceless unaccountable/uncontactable software devs.
Execution by Software rather than Executable Software.
"unaccountable"
I think this goes for most software.
Imagine the satisfaction of being able to whip out a 'git blame' as evidence in a trial.
@@Yobleck "Eh no, John, go talk to our legal department, they'll tell you what to say in court."
Management, not software devs are the ones ultimately responsible for the behaviour of the software as they commissioned it, supervised it and signed it off. Most of these software devs were underpaid and forced to work to badly defined, illogical and half-arsed specs and expected to perform miracles against unrealistic deadlines set by smooth talking, ignorant and greedy management who wanted to make a quick buck.
@@forthrightgambitia1032 A programmer that knowingly writes bad code with no excuse beyond "my boss told me to" is still very much responsible for their actions.
I don't even count these as bugs. This is a case study in terrible architecture.
Any company or government entity in this situation would have immediately sued a multi billion dollar corporation like Fujitsu for screwing this up so royally. The fact that the Post Office hasn't even hinted at doing that, makes me think there were some major kickbacks to some post office people when the contract was rewarded to Fujitsu, and they want to avoid that being discovered. It would also explain the ridiculous lengths that the post office went to in order to blame the local post masters, when it was extremely obvious to anyone with one brain cell that the Fujitsu system was a flawed mess
I'd not considered that. Could be. I do struggle to understand why the post office has been so belligerent about this, particularly as it's not a private organisation where profit is the only goal.
Fujitsu told the post office repeatedly that the system had bugs, the post office actively ignored it
Got it in one! 💯
As a mainframe guy of many decades and with a knowledge of CICS transaction system( Mostly banking and Airline booking systems) I find it incredible that this Horizon system seems to have little system integrity. When testing any new systems I would routinely turn off Modems, Servers and Terminals (and pull out cables) randomly in the Acceptance phase of the testing cycle. Only with 100% robustness would a system pass muster. But the greater crime in this sorry saga is that the Post Office pretended that this was an isolated incident for each sub-post office in trying to cover up this fatally flawed system, allowing pregnant women to go to jail rather than admit their error. And finally did the tax-payers ever get their money back from Horizon?
well said and so accurate.
Mainframe guy here too. I remember back in the '80s the bean counters got even more involved in IT and decided that mainframes were far too expensive and that a DEC/VAX Unix system replace it. They refused to listen to the many arguments against such a move - most of which revolved around data (and system) integrity, recoverability and ease of use. The single reason why I left the company.
There also seems to be design shortcomings as the users complained about not having access to historical account transactions information.
@@skf957There is only two things bean counters are interested in, and they are profit & their bonus.
Someone said the system used XML extensively but the XML schemas used were incompatible between one machine and the one it was talking to, causing the receiving machine to drop the data on occasions.
I’m on episode 3 of the itv drama and needed a break because it (I) was getting a bit emotional, came to RUclips and this was the first video in my recommendations. This is a great explanation from the tech point of view! Now I just need to find the strength to finish the drama!
Same here mate, can't imagine how those poor people felt. They should be stripped of their right to procecute.
after that you might like to research the code written by Professor Neil Ferguson of Imperial college which predicted 500,000 Covid deaths & scared the government to death in March 2020. He wrote it himself apparently & it never came up with the same answer twice.
I think Toby Young is one fine actor but I couldn't watch the series because I knew it would make me angry having read so much about what happened to all those fine people. I hope they find some peace now they have been vindicated, may those who have passed because of how they were treated rest in peace.
I’ve had a problem similar to this before, a meal payment transaction system would charge you without checking to see if the order had actually been successfully received. Bad code does show up often in the world.
I've had the opposite where one of the smartcard vending machines at work would top up your card but fail to signal to the server that it'd completed the topup. You could just keep putting the same £10 on your card as many times as you liked.
The behaviour of the Post Office was atrocious. Has anyone been held accountable?
What about fujitsu?
There is a public inquiry at the moment, and the chairman has been warning people - including the post office rank-and-file investigators - that they have the right not to answer when it may self-incriminate at a later criminal trial. So it's coming, but far more slowly than banana justice came to the victims.
I worked in IT in the 1990s, not for the PO or Fujitsu. It was an open secret in the industry that the system was an utter shambles. The BIG question is that
The Board of the PO rejected the distemper in September as having major issues that they could not implement it. However, 4 weeks... 4 WEEKS later they approved it and signed it off... WHY? I smell corruption and this may explain the 2013 cover-up.
Could you explain this please
@avtar1699 before any major system is accepted as delivered, the final interation is presented to those responsible for approving the acceptance, in this case the board of Post Office Ltd. In Septembet 1999 the final iteration was presented to the board who rejected it for not meeting 80% of the criteria required by the agreed specifications.
This was then escalated to the Cabinet for a decision. Gordon Brown recommended scrapping the system but diplomatic pressure was put on the government by the Japanese and Blair decided to tell the Board to re evaluate their decision thinking it could be fixed on the hoof..the problem was that with coding, like in construction, if your foundations and architecture are at fault, which they were with Horizon which should never have been released, then it doesn't matter what you do to fix it, those problems will always be there.
Blair should have scrapped it and re tendered the project.
@@HarryFlashmanVC This is why we need far more professionals in government. Politicians don't understand the risks, nor are they ever held responsible. Matt Groening's Schwarzenegger President 'I was elected to lead, not to read' was on the nose - uncomfortably so - and the consequences depicted in the movie were absolutely a parody of what actually happens. I have commented elsewhere, but the decisions that led to the compromising of the RBMK reactor design come to mind.
One such example of the flawed system is when a post-office suffered a thunderstorm nearby and the power went off. When the power was restored the Horizon system then told the Postmaster they had an extra £32,000 worth of stamps in their shop that had appeared out of thin air.
Just madness
These kinds of bugs are remarkably easy to get. I had to fix a bug in a client's webshop that would sporadically get way more stock in thewebshop than they actually had. Turns out there was some sort of denial of service-ish thing where robots where trying to reserve as many items as they could. But ofcourse if you never actually purchase then the system will remove your shoppingcart and return the items to stock. Turns out that if people where reserving items while it was getting returned to stock the deleting of the cart would fail and a little later the same cart would be deleted again and presto; more stock than you started with.
That disappeared when I implemented transactions. And yes I notified the author of the shop and basically told him to go and learn how databases work.
Well, it should be remembered this was built in the dark days before unit testing and agile development were common, where complex systems got built from nothing then tested on bulk by clunky test scripts written by non-developer testers.
@@forthrightgambitia1032 That is, more often than not, still exactly how systems are built today. Agile is commonly just a word that's bandied around, writing tests often takes three times longer than writing the production code it's testing so immediately falls by the wayside when push comes to shove, and the vast majority of QAs are not developers.
@@davidf2281 sure. Though at any half decent tech company this is definitely not how it is done (I speak from experience.) CI running automated unit tests and code reviews that demand unit testing are pretty much standard in those contexts. The fact that many mediocre software houses still follow these prehistoric patterns is why companies like Infosys have eaten their lunch: why pay a premium for crappy cowboy efforts when you can pay bargin basement prices for the same thing.
Also if writing unit tests takes 3x longer you are doing it wrong. Well constructed classes and mocking mean it should take about 1.5x-2x the time, and actually less when you factor in bug fixing and patches that come from not testing it.
@@forthrightgambitia1032 I also speak from experience, and I agree with you in general. Trouble is, development is expensive and devs are often mediocre chancers, but the client usually can't tell and wants it done yesterday for the lowest cost possible. I don't think this will ever change.
@vinny142 The fix that you're describing is not for a distributed system. Imagine having a head office and a branch working with separate databases (because they don't always have a connection, remember it's early 2000s). You cannot simply do everything in one go, that's why you need consensus and recovery.
As a DBA, the gross incompetence -- from bottom to top, tools to management -- disgusts me.
You got the “isolation” in ACID wrong. It doesn't mean different parts of the system are isolated from each other, it means concurrent transactions don't interfere with one another.
I'm surprised this sort of thing doesn't happen more often. Once you replaced the mainframe guys who were very, very careful about ACID compliance with a bunch of Java guys in the 90s and 00s who had never heard of ACID correctness and then tried to get it to work across multiple, disparate systems with no global transaction rollback was sure to break somewhere.
Couldn't agree more, as someone who has been trained by mainframe oldies. i still find it almost laughable at the approaches that my "cloud distributed agile " colleagues take. Their whole approach (still today) is based on things "working" and never bother worrying about reconciliation or detecting errors. If something fails its always "well its ... fault for failing" rather than them not writing their application to handle that failure.
Our shop still runs its main processes on mf transactions (CICS /IMS) and that stuff is bombproof. If we ever get issues, its almost always something getting lost in the front-end / middleware which dosent have any sort of proper monitoring / alerting in place :(
@@TheCieronph I completely agree.
Things will go wrong, your network will drop, your system will lose its power unexpectedly, your storage will fail, your configuration files will be missing, and if the code's response to any of those is "let's just move on and pretend nothing happened", it just triggers a domino effect of cascading failures.
I blame MySQL.
I work at a big tech and I can say your perspective is kind of wrong. We almost write 7 lines of rigorous test code for like one line of production code. That makes sure such resilience are at place. We work agile, and we release almost daily. The issue might be at the end of the day boils down to competence. Don't let incompetent people work on critical systems.
@@swagatochatterjee7104 this varies immensely from one company to another and one field to another. In my experience, the industry average is the exact opposite - one line of test code for every ten lines of deliverable code.
This was huge, people lost their livelihoods and were accused of theft and fraud and every case wrongly won by the post office against the sub postmasters was a gross miscarriage of justice.
There was a woman local to me who's even own family thought she was taking money and this is a perfect example of when you should know your users.
There was also some evidence of the post office and Fujitsu the supplier knowing that there were issues and remained silent while people went to jail and in one case ended their own life.
(Allegedly)
There is no allegedly about it. It has now been documented in court.
@Aidan Crane "...a gross miscarriage of justice." My understanding is that justice was carried out properly and thoroughly, no laws were warped or twisted. The problem lied with "justice" being ethically barren in those circumstances.
@@jasonc3a the problem lies with the justice system being vulnerable to sophisticated lying. Hence why perjury is such a serious crime. Unfortunately the figures involved here are the "right sort of people" not likely to suffer perjury charges.
@@jasonc3a Don't twist the meaning of justice; justice is always virtuous and right. The courts did not carry out justice because the laws and the processes are not always just.
How come that the justice system has no experts to examine the code of the program in such cases?
I am pleasantly surprised by how many times I enjoy watching videos of the British postal system. Thanks to Tom Scott for introducing me.
This is a wonderfully calm explanation of the technical failures behind an absolutely outrageous scandal.
Some people in very high positions knew about the mistake that put inocents in jail.
Life sentences for those psychopats would be a reasonable start to making them atone for it.
The poor software is bad enough, but the malicious and knowingly false information given by Fijitsu and the Post Office shock the conscience, and the fact they did it to profit a business and were awarded benefits from the State (in the form of honours like a CBE) make it so abhorrent to be beyond the pale.
Came back to this video after watching ITV's Mr Bates vs The Post Office
"Computers don't make mistakes". True, but programmers do.
So grateful that this has been explained in technical detail.
Did anyone else get hung up watching the drama when the guy from Bridlington in the first episode notices the discrepancy in the EFTPOS terminal printouts ~ but then doesn't bring it up with the Auditor in episode two?
they hung out loads of postmasters out to dry over this
One died before their name was cleared
Yes they were exceptionally badly treated . The effects on those people's lives were immense.
I don't understand how one point of evidence could lead to someone being convicted. So, the system says that I've made a fraudulent transaction, but shouldn't there be a greater burden of proof? I would hope that the courts would have to prove I have money that I shouldn't have, and if I don't, I would also hope they would take a further look into the system itself - especially when this happened so often to become a scandal.
This is exactly the first thing I thought of when hear of this. I would have though that there would need to be multiple pieces of corroborating evidence to make convictions. But somehow a single piece of software being the only evidence was enough to convict in these cases. It's just absurd to have such a high level of trust in unproven technologies. And even if Horizon was properly audited by a third party and rigorously tested and such, to convict with it being the only piece of evidence is still absurd.
Makes me scared of other unproven software and technologies being used as evidence because, as an example, people are already getting arrested, and having their lives ruined, solely because of false-positives with facial recognition software. And that's a technology that will never get even remotely close to as accurate as someone might think accounting software, like Horizon, should be.
@@C2Talon I recently watched that new TV show about this incident "Mr Bates vs The Post Office" and if the show is to be taken at face value apparently the post office had their own prosecutors and took unprepared postmasters to under the desk legal proceedings to convict them.
Agile approach can sometimes foster these situations because it discourages solving "future problems", and it happens more often than anyone will admit. Experienced engineers can mitigate such problems but they sometimes have to fight an uphill battle to do the right thing.
Trust me, there was nothing agile about Fujitsu or the Post Office. Neither could make a cup of tea without a gantt chart and a fully mitigated RAID log.
I share this concern. Agile gives more touch points between stakeholders and team, and if the stakeholders are pointy haired and persuasive, and the team isn't sufficiently grizzled and stubborn, then due diligence is easily pushed out.
Having just watched the documentary on ITV I was curious as to what could cause this. Fantastic explanation, many thanks.
Let me guess: This system cost hundreds of thousands or maybe millions of pounds to be developed?
If only. Horizon cost one billion 1995 pounds (1.97B today)
@@SaffronMilkChap Holy crap
just like "reinventing" charlie-19 tracing apps in every damn country, millions
Pork pork pork!
And code from India?
ICL were a UK based company, worked on projects with Barclays. Millions? Yes, more than 700 of them for the pilot alone. Zero coding standards or consistency. Saying that, much of their background is in mainframe tech, it sounds like they didn’t understand the technology they were using, hardware down to software.
This is an example of why all software that touches public funding should be free, and, in the case of internal government systems, should be released to the public. Being able to audit Horizon would've given people a fair defense in court.
(See the FSFE's "Public Money, Public Code" initiative.)
I agree, but this scandal is really more of an argument for *all* accounting software to be free, not just the software touched by public funding. This could happen to literally any private company as well.
That's a load of nonsense. If it had been a commercial bank instead of the post office, the impact would have been the same. Public or private has nothing to do with it. And yes, the company that I work for does a lot of work for government and parastatals, but that doesn't change the argument. There is a lot of hard work and engineering involved, that you don't want to share so that others can take your code and undercut you. If you want free source code, have a government-run software house and see how well that is going to work.
I disagree, but all software should be tested by an independent 3rd party to verify that they do what is intended and there should be guidelines on what should be tested and how. And every update must also be tested as well.
@@SeverityOne Taxpayers paid for it. Post Office is a government run company. Should be open source. A lot of other government source code is already, and it's written by private contractors too.
@@SeverityOneThe impact wouldn't have been the same because the Post Office have the legal power to bring prosecutions, and thankfully private business doesn't have that power.
A perfect example of how we can all expect to be treated as "infallible" machines and algorithms control more and more of our lives.
Nobody mentioning the video quality of Steven Murdoch? Looks so good!
Yes the professor had some excellent filming kit :) -Sean
Thanks! The main camera is a Canon EOS RP, which is designed for still photos but is pretty good at filming 1080p video. It probably also helped that I set up some lights. I just wish I remembered to look at the camera at the beginning (I realised after a while)!
@@Computerphile. The RUclips algorithm sent me to this video, 2 years later. Very informative considering the scandal is still ongoing.
On the contrary! The sketches were hidden by the man’s hand all the time. ✍️. The camera was in the wrong place!
As a former bookkeeper this sounds like a technology failure compounded by a bookkeeping failure. All of these shortages should have been easily catchable with daily or even weekly checks.
Blockchain????
@@squigglesmcjr199 not necessarily, with the banking transactions you just compare electronic money in to cash money out and if you're over $800 you first look at your failed transaction log, then you look at when all the $800 withdraws were approved by bank's system and make sure they were cashed out correctly on a register, if they were then see if any $400 transactions were double charged. Then you work your way through the more time consuming troubleshooting until you find out why things don't match.
One of the most shocking scandals I have heard of. I hope those wrongly accused get the justice they deserve.
Some of them have already died. Or in fact committed suicide.
We have to push our politicians to take responsibility and to prosecute the Post Office upper management who knew this early on, who suppressed a negative report, who told lies and who are fully and criminally culpable for this.
Great guest. These concepts were very clearly explained in simple, brief language. Well done.
Very nice summary of the architectural issues in play here. I am very keen to find analysis of the initial business case for Horizon -and to see how much 'fraud reduction' was part of the underlying assumption. I strongly suspect that the PO mother ship has long assumed fraud was rampant - and that Horizon was touted as the answer. I think this explains the belligerence and assumption of guilt by the PO. They werent just expecting lots of legal actions. It was a desired outcome.
Utterly illuminating. Thank you so much for this.
I have been working as a software developer for almost 40 years and this is really Database checking 101. ALWAYS use db transactions/Journaling/Commitment Control,
JEZUS These Guys Were/Are Amateurs!
It's a technical atrocity, compounded by criminal conspiracy to hide evidence.
The kinds of developers that understand consistency algorithms are likely not going to want to work for some weird sub-branch IT department of Fujitsu doing boring accounting. So then you get a bunch of junior devs who are wet behind their ears who are just there for a paycheck and CV building. Mere cogs in a wheel. Many such cases. So yes, complete amateurs, no worse, that is a slight to amateurs, incompetent fools.
Notice how the large directly operated branches (not the franchised village counters run by a couple of biddies) - the really large ones with many counters.
They had the same issues with "being short" by tens of thousand as the innocent biddies. But, the Post Office never prosecuted anyone from their own branches. And the Post Office lied about there being no problems whatsoever.
Funny that.
I see everyone in this comments section is commenting on the (shameful) scandal itself, but I wanted to take a moment to say that this is also a great video explainer! Clearly explained so that all the main issues are understandable to even the slowest of us... great job, both Professor Murdoch and Computerphile!
Are there any more videos that explain what was technically going wrong with the horizon system?
Still not. It might not come out, and it might not need to. There are a million ways mistakes can happen if you don't prevent them. This video gave examples of ways that things COULD go wrong.
Good video, definitely want to see more stuff about databases, even if it is historic information i.e. development of ACID. Steven seems like a good presenter so look forward to more from him.
The viewing figures for this video must have spiked this week!
Seems like the people at the post office responsible for the cover should now be accountable for ruining people's lives. Some served substantial prison sentences for this. Also, thoughts and prayers for any of the devs with Horizon on their CV :😬
I worked for a company where the accounting software had a variance of about $2.49 between the net assets and the total equity. They must have had a weakness at some point that allowed an unbalanced transaction.
To get that fixed we would have had to give the file back to the software provider. We just lived with it as it wasn’t material.
Computerphile is so great. Bringing light to these kind of things.
Well it was Computer Weekly, then Private Eye that exposed this really.
Very relevant and useful explanation. Many of the details here I was not aware of and it's obviously all blown up again. So many hidden corners to this wider story that are continuing to be exposed.
It's very challenging with such a complex IT system and when hundreds of millions of transactions are not a problem and an occasional one apparently goes wrong, then it's hard to see the error and as an outlier then you can see why it's seen as an individuals error.
Very clear explanation, thanks. The fundamental principle here is that if there is inconsistency within, or between intercommunicating, computer systems then the systems are at fault and not the user. The user could be responsible for losing physical cash or stock, so that they are inconsistent with the computer systems. I wonder what technology they were using to enforce transaction integrity. If they were just relying on coding without a transaction or database framework with two-phase commit, it would have been easy for it to go wrong. The audit log itself should be accessed via an application. It sounds as though they might have been editing the data file directly, which is not safe at all.
It's so sad that only now it is getting the push it needed a LOT of time ago
Super relevant here in the UK right now. Thanks for the video. An update would be good I think.
The explanation of isolation wasn't exactly correct. It is more about concurrent transactions, and the need for serializability (i.e. order of operations doesn't change final outcome) regardlessly of whether they are on the same system or not.
Please tell me a massive scandal isn't going to be the exact same problem used to introduce concurrency problems to freshman CS students.
He could tell you that - but he’d be lying. Its absolutely ridiculous that several people spent time in jail because The Post Office Ltd cant employ competent subcontractors e.g Fujitsu.
thank you so much for this great video
Excellent review thanks
thanks for this, this is exactly what i wanted to learn about - what bugs causes what issues. poor people who went to jail and lost their jobs
Managers knew the system was rotten and yet they continued to prosecute . Despicable beyond words . They NEED to go to jail .
In 1999, Post Office Counters Ltd introduced a computer accounting system called Horizon, developed by ICL (which in 2002 rebranded under the name of its Japanese owner, Fujitsu). From 2001, the Post Office company (by then renamed Post Office Limited) was a subsidiary of Royal Mail Group.
I read an essay about this. It made me wince loudly. My God, when I think about AI and how we've convinced so many people that algorithms and other AI technologies are seemingly infallible, I get shivers. We may see similar cases in the future on that front.
Google has been known to comment, to large figures like Linus Sebastian (of LTT) that their algorithm for presenting content to users - along with things like demonetisation - long ago became so complex that nobody understands why it does what it does. Now that's just RUclips, effectively a mega-CDN with implications for a few hundred thousand creators, but what other systems have outgrown human understanding? And as you say (especially commenting 2 years on from your post) how long before this happens with AI?
*Critical edit - I know I said the RUclips algorithm has limited consequences, but then, a few years ago it was proven beyond doubt that the platform algorithm had developed a tendency to radicalise users. If you clicked a Jordan Peterson video, for instance, it would start trialling you on content by Andrew Tate. If you clicked a news article about a Muslim committing a crime, it turned you on to far right white supremacy videos. This stuff is already having an impact on the fabric of our lives.
Famous IT-saying: "Avoid duplication of volatile information".
Main takeaway: 11:41 "Distributed system makes everything harder."
Probably getting a boost.
We've all heard about money missing, debt. What we've not heard about are surpluses which would occur if the sw errors were random.
Surely the first thing the Post Office has to do NOW is to reimburse all the postmasters or their descendents with the money they stole with appropriate interest payments. After all it is still the postmasters' personal money.
Will this be the same committee examining the closure by the post office of several thousand post office accounts used to pay the most vulnerable blind severely disabled children and adults who have been left destitute,starving, hospitalized as a result they have not seen any income since 2nd june 2022. Will the group compensation for this legally protected group who have had their lives threatened also come from the Fiijitsu compensation scheme?
Will the collapse of the horizen system effect the payments of disability incomes through the post office branches since June 2022 ? under article 11 for human rights for those with disabilities the legislation under the European convention make immediate settlement to these sorely disabled bling adults from the monies allocated by Fujitsu ?
Go back to using paper and pen. However old fashioned, it's much safer - and more accurate, with no possibility of technological error - and this appalling scandal could not have happened. The idea of a machine "thinking" something has happened, when it hasn't, and not having the judgment to know the fifference, is obscene. Disgraceful. Those poor sub-postmasters.
Just started watching Mr Bates vs The Post Office; probably the scariest thing I've ever seen on TV. This whole scenario is really a software developers worst nightmare. Thanks for clearly explaining what the bug actually was.
So did real money go missing? My bank balance is a complex number: there is a real part and an imaginary part.
lol
731 Absolutely shocking, disgraceful, the arrogance and hubris of the management. Someone needs to go to prison.
Really well explained thanks
Correction 'The Post Office/FUJITSU' scandal. Fujitsu should not be getting away with it
To err is human, but to really foul things up requires a computer. How true those words are.
thanks: since this scandal broke, I've been looking for an explanation of the Horizon system and what went wrong from a technical point of view. the worst thing about it is not that the technology failed, but the reaction of the human beings managing it; simply refusing to believe it could be wrong instead of properly investigating it. saying that, I think software engineers do need to take responsibility for the failings of the systems they design, and the wider community needs to learn lessons of such failures. I hope such lessons will come out of the inquiry, but I think - most likely - the biggest lesson will be that the system wasn't sufficiently tested
Lesson learned: If there is a way to do something wrong, government will do it the wrong way almost every time
I worked as a programmer for many years on commercial systems. Let me assure you- management will seldom admit fault in the code because the company's reputation and therefore their profits depend on the system working.
Prof Stephen might be the best dressed and we’ll framed guests on computerphile.
"What's PostgreSQL? Best practices? It's like you're talking another language!"
Its a database management system, like Oracle
Actually, it was Oracle they were using.
It needs to be investigated if Post Office executives and staff took bribes from Fujitsu.
Where you getting this info from?
Fujistu is another of those companies that do everything on the cheap (except directors’ bonuses, of course).
They pay their software developers peanuts, which means they have a constant high turnover of staff and low staff morale. The software they produce is exactly what you would expect, given those circumstances.
And the government keeps awarding them contracts because they are so cheap.
The black background makes it look like the speaker is explaining the British post office in the void of intergalactic space
Not many sub poster masters were hackers ide say. what a disgrace.
Now remember how many critical systems run on things like COBOL and MUMPS/Cache, and that many of the original developers are dead at this point...
Are there also postmasters with surplus cash (and keeping quiet) ?
Being from across the pond, I never actually heard of this. It’s somehow comforting to know that we will always have government ineptitude in common.
So this is what happens when you accidentally program an accounting database to act out the plot from Superman III or Office Space.
common sense should have told those in charge that, after years of no problems with post masters, and then after implementing a new computer system, there are hundreds of them being prosecuted in court - that a pause is required and a complete investigation is required by at least one independent body/company + independent auditing. It is obvious that system analysis, programming and testing was not done properly. A decent manager would have understood this, and acted upon it - and there in lies the problem There are far too many people in the wrong job bluffing their way through until things become too hot or go wrong - then it's off to the next well paid position.......
What a horrible injustice
There was also a legal assumption built in to legislation that computers did not error.
The fact that horizon (apparently) wasnt put thru the ACID test is insane.
Not at all surprised, I see this happening today as well during the crisis in the Netherlands, everyone is trying to cover their *** and a lot of intimidation is going on from top to bottom, totally illegal, but i simply happens. I wonder if that is simply what management trainings are about these days as it seems so normal. I do hope that all sub-postmasters and especially those in jail got a huge sum of money in return.
This must be why I thought I had heard of this BS when the scandal resurfaced.
Could you please enable Auto-Generated English Closed-Captions? Even if it’s not perfect it’s really useful for non-native English speakers. Thanks
Neither of them are English 😉
@@hoagy_ytfc No, but they speak English, and are native English speakers.
@@TheDeadSource I know, I was jesting a bit
@@hoagy_ytfc I figured from the emoji you appended to your sentence. I'm sorry to be harsh, but some jokes can come across as condescending in the context of someone asking for help, particularly when they are not very clever.
@@TheDeadSource Oh ok, thanks for the lesson