Thursday 14 March 2019

Horizon Trial: day 4 - They Could, And They Did Change Branch Transaction Data

Richard Roll
Richard Roll, the Fujitsu whistleblower, spent just shy of a full day in the witness box today after giving evidence for most of yesterday afternoon, and boy it was gruelling.

At one point I thought he'd developed Stockholm syndrome - agreeing with everything the Post Office QC said in the hope someone would make it stop.

Mr Roll came forward after seeing the BBC Inside Out South investigation I fronted in 2011. He did so for exactly the right reasons. He felt from his time working at Fujitsu Horizon support that some Subpostmasters might well have been held responsible for losses which weren't their fault. As someone who was very close to the action, he felt it was his moral duty to speak up, especially when he saw the people in the programme who claimed to have been affected.

Now I don't think anyone is suggesting for one moment that Mr Roll (both at the time of giving us the Panorama interview in 2015 and at the time of writing his witness statement) was not trying to give an honestly held view of what he saw and experienced whilst working at Fujitsu. But memory is a funny thing. Mr Roll was there between between 2000 and 2004. That is a long time ago.

Ask me about the stories I worked on during that time and well... I can remember 9/11 vividly. The other stuff...? Not so much. And if you were to put me in a witness box and ask me to take you through the names of my colleagues, my working processes, the reporting structures, the software I used - things I knew against things I assumed were true at the time and now believe are facts I would be groping around, I am sure.

Yet Mr Roll - who certainly didn't have to spend two days of his life being progressively taken apart - chose to come forward and give his honestly held view about the work he did. But just because he thought something might be true, that didn't make it so. Organisations and individuals can be put at an unjustifiable disadvantage if misleading or inaccurate recollections are left to stand as fact.

Re-train the howitzer

Imagine having your little story - which you wrote with reference to a few of your own documents and fading memory, coming to the attention of a remorseless and fantastically well-resourced machine, backed by an army of people with access to whole forests of documentation.

All that was deployed against Richard Roll over the last two days. And boy, did it show.

Mr Roll came across as a solid, trustworthy and honest witness, but I think it is fair to say that large chunks of his evidence will be disregarded.

This is a selection of quotes from this morning's cross-examination (btw SSC where it appears is the department Mr Roll worked at within Fujitsu - I'm assuming it stands for Service Support Centre):

Q.  In your
       44 months at the SSC did you ever encounter a situation
       where a cyclic redundancy check missed an error of this
   A.  I can't remember that.
   Q.  I suggest to you didn't, Mr Roll.
           Could I also ask you whether you were ever aware of
       this -- in your experience you ever actually saw this
       problem happening with a subpostmaster?
   A.  I don't think I did, no.
   Q.  You said --
   A.  I don't think I did.
   Q.  You don't think you did?
   A.  No.
   Q.  So what you're saying in red text here in paragraph 14,
       it's really largely a -- and I don't mean to be rude
       when I say this -- it's an armchair theoretical exercise
       that you are discussing, it's not something that
       actually reflected your experience when working at the
       SSC, is it?
   A.  No, it was something I was thinking of hypothetically.
   Q.  I'm grateful.


   Q.  Now, I would like to ask you about your belief that
       there were "likely many cases".  Mr Roll, that's
       speculation, isn't it, that's not a statement of fact?
   A.  That is how I felt, yes, that's --
   Q.  You felt it?  What was the basis of your feeling?
   A.  Going back to what I have said a moment ago about
       feeling that at times we were under pressure and we
       couldn't do the job properly.
   Q.  How often -- do you have a recollection as to how often
       you were under pressure?
   A.  No.
   Q.  My sense of the evidence you have given -- and I want to
       tell you this so that you can tell me whether you agree
       or not -- is that it didn't happen very often?
   A.  Not very often, no.
   Q.  Okay.  So can you say how many times --
   A.  No.
   Q.  -- you had a sense when faced with a problem that it was
       likely to be a bug but you hadn't --
   A.  I wouldn't be able to say.
   Q.  You couldn't say how many times --
   MR JUSTICE FRASER:  Keep your voice up, Mr Roll.
   A.  Sorry.  I have no idea.

 Q.  First of all, you say:
           "The test team felt they were under enormous
       pressure to complete the testing within certain
       timescales which negatively affected the test regime."
           That's quite a bold claim.  The testing wasn't your
       team, was it?
   A.  No, they were on the same floor as us, some of them.
   Q.  So you're talking about your recollection of -- would it
       be fair to say office gossip?
   A.  Yes.
   Q.  From 15 or 19 years ago?
   A.  Yes.
   Q.  How many conversations of this sort did you have during
       your time at Fujitsu?
   A.  I don't recall.
   Q.  Was it a view that was expressed by the entire test team
       on a regular basis, or was it something that was said to
       you by one or two people a couple of times?
   A.  My recollection is that the majority of the team felt
   Q.  The majority of the team felt pressure.  What did they
       say about this pressure?  What did it make them do?
   A.  I can't remember.

One of the things that this week has taught me is the value of cross-examination.  I do feel slightly sorry for ordinary people being put in a witness box and being asked to justify themselves in front of highly-trained barristers who skewer people for a living, but today we witnessed the slow and labourious process of groping towards establishing the likely truth of the situation with regards to large chunks of two witness statements.

A day of two halves

After lunch, Mr Roll seemed like a changed man. In response to the questions he was being asked about remote access, he suddenly found his mojo.

Mr Roll explained in detail how he was able to go into a Subpostmaster's branch terminal - using the Subpostmaster's login - and change the transaction data without that Subpostmaster's knowledge. Now we must, and Mr Roll did, caveat it with everything that you would expect from someone entrusted to undertake such a risky and delicate operation. He would log it on the Fujitsu internal log "Pinnacle" every time it happened. It would be supervised and signed off by another pair of eyes. If the Subpostmaster could be informed they would be, but Mr Roll was clear about what happened. He and his colleagues had the power to roam around inside a Subpostmaster's branch terminal without the Subpostmaster having any idea they were there or what they were doing.

This was when he came off the ropes:

Q.  And the second sentence:
           "The Riposte product managed the message store and
       it did not allow any message to be updated or deleted,
       although it did allow for data to be archived once it
       had reached a sufficient age ..."
   A.  Yes.
   Q.  It is correct, isn't it, that Riposte didn't allow any
       transaction line in the message store to be individually
       deleted or changed or edited in any way?
   A.  You couldn't do it through Riposte, no.  You had to hack
       the system to do it.
   Q.  So would this be right then, that it wouldn't be
       possible to remotely access a counter and change the
       data on the message store of that counter remotely?
   A.  I believe that theoretically it would.
   Q.  How would that be possible?  Riposte wouldn't allow you
       to do it, would it?
   A.  By doing the system that I have just said.  If you
       could -- without the message store replicating, so
       there's no other copies of it, if you could get that
       message store off, alter the data in some of the lines
       of code, to do that you would need to strip out all of
       the preamble and the post-amble, so you're just then
       left with the basic data as if it had been on the stack
       or whatever -- forgive me, I'm very rusty on this -- but
       then by -- I think it was the Riposte import but it
       might have been something else, you could then reinject
       that data which is the process we would have used to
       rebuild a counter.  But if you had changed some of that
       data, I think that it would then have rewritten the CRC
       when it imported it so that then when it replicated, the
       data could theoretically have been changed.
   Q.  I'm finding it difficult to follow you and it may be my
   MR JUSTICE FRASER:  I follow what the witness is saying but
       keep exploring it.
   MR DE GARR ROBINSON:  I would like to distinguish though
       between transactions insertions -- the process of
       injecting particular transactions into the message
       store, which could be done, with the process of actually
       manually changing a transaction line that is in the
       message store and you could insert new transactions,
       couldn't you, but what you couldn't do is you couldn't
       edit or indeed individually delete lines that were in
       the message store itself?
   A.  You would have to delete all of the message -- from what
       I remember, delete all of the messages down to a certain
       point to the one you wanted to amend and then inject
       a load more text, or insert more transactions in to make
       the message store and Riposte think that it had been put
       in by Riposte and by the postmaster.
   MR JUSTICE FRASER:  I think you can probably explore this
       with the experts.
   MR DE GARR ROBINSON:  I think I probably should.

Then he contradicted the report of Mr Godeseth, a Post Office witness:

Q.  Well, my suggestion to you will be that you never and
       would never manually change a transaction line of data
       that a postmaster had keyed in.  That's just not
       something SSC would ever do.
   A.  The process I have just described is something we did,
       as far as I remember it.
           The process of actually changing a line of code to
       change it from £100 to £10, we would never have done
   Q.  So -- I mean Mr Parker says -- let's go back to this
           "Fujitsu would not change the transaction data
       itself and in removing the envelope data, they would
       simply be allowing the system to automatically renumber
       the transactions when they were reinserted."
           I'm suggesting to you, Mr Roll, that that's the most
       that anyone at the SSC would ever do in terms of
       changing transaction data?
   A.  That's not my recollection of it.  It was a long time
       ago though.
   Q.  And then he says:
           "Ultimately, when the counter was replaced at the
       branch the subpostmaster would be able to see what
       Fujitsu had done."
           Is that true?
   A.  Again, my understanding is that in certain circumstances
       the data would be indistig ... sorry.
   MR JUSTICE FRASER:  Indistinguishable, is that what you are
       trying to say?
   A.  Yes.  Yes, my Lord.
   MR JUSTICE FRASER:  You couldn't tell the difference?
   A.  You couldn't tell the difference.  The postmaster
       wouldn't be able to tell the difference from data that
       he had entered as he was scanning a stamp or whatever
       and to what we had put in.  That's my understanding --
       my recollection.
   MR DE GARR ROBINSON:  Well, I suggest to you, Mr Roll, that
       no one at SSC would ever manually change a line of
       transaction data and then reinsert that transaction data
       into the message store of any branch.  There might be
       occasions when new transactions were inserted, but it
       was more than the job of an SSC member was worth to
       actually start mucking about with lines of existing
       transaction data.
   A.  Can I say that we were not "mucking about" with lines of
       transaction data.  We were trying to rebuild counters.
       If I can take the instance after single-counter
       post office where one of the lines of data had been
       corrupted.  Without correcting that corruption and then
       reinserting it, if the corruption remained then that
       line of data would have continued to cause problems.
Then he explained in pretty clear detail how he could and did change transaction data in branch:
   Q.  It is right, isn't it, that Fujitsu generally, the
       SSC, was extremely reluctant to make any changes to the
       basic features of transaction data that we have been
   A.  Yes.
   Q.  That's not something they regarded as their job,
   A.  Sorry, the changes to the transaction data?
   Q.  The basic features of the transaction data?
   A.  How do you mean by ..?
   Q.  Well, changing a figure in the -- the discussion that we
       have just been having?
   A.  Right.  That would have been our job because it was
       trying to fix a corruption in the data.
   Q.  All right.  And let me suggest to you that it is
       something you only did when you absolutely had to do it?
   A.  Yes.

Well - there you have it, heavily caveated with all of the safeguards, but unbested evidence that staff at Fujitsu could wander around, changing transaction data on Subpostmaster branch accounts without leaving a trace in the system.
Greater minds than mine will work out the implications for all that, but it made for an interesting afternoon, when some of us thought that Mr Roll was in danger of losing all credibility as a witness.

There is more. Shall we Roll on?
This was an exchange which caused a stir amongst the claimants in the public "gallery". I offer it here without comment:
Q.  So when you say in paragraph 18 "we were able to change
       not only data and transaction information, but we also
       had the ability to insert transactions", when you say in
       the next sentence "obviously this was not done by me",
       are you referring to the ability to insert transactions
       and the ability to transfer money?
   A.  Yes.
   Q.  So you couldn't do either of those things?
   A.  I could have done.  From my recollection.
   Q.  I'm so sorry, you didn't do either of those things?
   A.  No.  What I'm referring to here is somebody -- if you
       want to be dishonest -- if the postmaster was using the
       counter then my recollection was that you could have
       logged onto the counter without the postmaster
       knowing --
   Q.  I don't need to ask you any questions about that,
       Mr Roll, but I understand why you want to tell me.
There were also a couple of wtaf? moments provided by Patrick Green, QC for the claimants. In his brief re-examination of Mr Roll he asked the following question:
   Q.  Okay.  You weren't shown it, but the court was told
       there was a document which was broadly consistent with
       what those codes meant and if we can look please at that
       document, it is at {F/823/23}.  Mr Roll, I'm only going
       to give a couple of examples of this.  If we look at 63,
       which is the line we looked at first.  If you come down
       the left-hand code side to 63.  Do you see this table
       actually only starts at 60, it doesn't have any of the
       earlier codes?
   A.  Yes.
   Q.  But it does have 63 and you look across and it says
       "Programme approved no fix required" which on the face
       of it sounds quite chirpy and positive and then we look
       and it says:
           "Rarely used.  Covers the case where there IS
       a fault in the product and this is acknowledged by both
       Fujitsu and [Post Office Limited], but the fault is
       there as a result of an agreed design specification and
       Fujitsu would require POL to fund any correction.  MUST
       NOT be used without approval from HNGX Programme Manager
       or authorised representative."
Mr Roll was asked if he could remember any examples of this. He couldn't. Then there was this:
Q.  And if we could go forward please to page 3 {F/16/3} and
       look in the bottom yellow box, 27 July at 10.09, do you
       see "CAP12" on the left-hand side?
   A.  Yes.
   Q.  It says:
           "Balance brought forward was multiplied twice due
       [to] known software error.  The initial balance brought
       forward for this CAP was £1,196,622.72.  This was
       multiplied twice to give a total of BBF of £2,279,189.04.
       The discrepancy was therefore £1,082,540.28.  This was
       due [to] a known software error which has [now] been
           Do you see that?
   A.  Yes.
   Q.  So that would have been quite a bad one, is that fair?
   A.  Yes.
Now I have no idea why Mr Green raised these - maybe just for the transcript as Mr Roll knew nothing about them, but after hearing one and a half days of the Post Office barrister describing how incredibly safe and robust Horizon was, and how the Fujitsu support was orderly, calm, brilliant and either fixed things or proved conclusively problems were user errors, this was a window into another Horizon. A one million pound discrepancy caused by a known software error?! On an internal Post Office document?! Surely not.
It certainly whets the appetite for next week's cross-examination.
In case you're wondering, Ian Henderson's evidence to the court was constrained to factual recollections of process rather than anything else. Second Sight still have contractual obligations to the Post Office and after an epic day for Mr Roll, Mr Henderson provided an almost comical coda. He certainly knew his way around a witness box, but he wasn't there to light any fireworks.
I would urge you to read Richard Roll's witness statements, and then the full transcript. Today has been an exercise in better understanding how justice works and why cross-examination is so important to the legal process. 
Tell us something interesting
Judgment day is tomorrow. Mr Justice Fraser will (in person, literally) hand down his 180,000 word document in court 26 of the Rolls Building at noon. He made the point of saying the session is open to the public. 
I will be in court to get a copy. I am currently scheduled to try to make sense of it in time for a live report on ITV News at 12.30pm outside the Rolls Building. I am going to take my highlighter pen and my eye for a decent turn of phrase.
The judgment will be emailed to those who have requested it after 12.30pm. I will upload it to this blog as soon as I am 'umanly able. 
Thanks for reading!
Please feel free to forward the link to this blog post. The more people who read it, the more people find out about what is the biggest trial going through the UK courts right now.

Please also consider a donation to keep the website going by choosing an amount and clicking the button at the bottom of this post. Contributors who donate £20 or more will be added to this secret email list. Thanks!

Choose an amount