The Post Office Systems Scandal Demands A Critical Response

Opinion Nine hundred people have had their lives blighted, even destroyed. One of the world's oldest independent judicial systems has been perverted as a publicly owned company – the Post Office – brought private prosecutions* against postmasters. At the heart of it all is a brutal corporate cover-up of a broken IT system.

The Fujitsu Post Office Horizon affair is the biggest, ugliest scandal in public sector IT this century, at least among democracies. Although it has been covered in the tech press for nearly 15 years, with the mainstream press and the politicians catching up over time, and despite an independent public inquiry at last kicking off in September 2020, it took a TV drama at the start of 2024 to really grab public attention. 

Youtube Video

As tech partner to the Post Office Horizon project, Fujitsu is tasting the effects, and these too are brutal. They will certainly affect its bottom line: the company has said it's not pitching for new public contracts until the inquiry is complete. It may be hard to recover from that.

The mainstream media is trying to make up for lost time by asking the usual questions: who inside Fujitsu knew what when, who decided the strategy, how culpable is the company for compensation, did its people lie, and so on. All good questions. None is the big one. 

A princely paradox

Every corporate crisis looks different inside than out, because every corporate crisis has its roots deep within the company, in places far from view, and with implications that only insiders can appreciate. Take one of the first big UK cyber security cases in 1984, when the public Prestel dial-up system was infiltrated by hackers. Run by British Telecom, ironically enough the renamed Post Office Telephones state telco. Prestel was hacked in the run-up to BT's privatization. As with Horizon, the breach had already been written about to not very great interest: it took the taking over of Prince Philip's account to get public attention. 

BT was shaken and embarrassed, but it rode out the story hoping that the one question that it couldn't answer, wouldn't be asked. If pressed, it could break the sale, even the company. If you can't keep the Royal Family safe online, how do you know the other systems you run are secure?

Nobody asked. Nobody asked the obvious follow-up - what other systems do you run? As a state telco, BT was in charge of all internal Government communications, including the highest priority and most secret. The company stood revealed as basically incompetent and the consequences, should anyone think to look, were incalculable. Yet nobody asked, and the moment passed.

In Fujitsu's case, much the same applies, though the full extent of the company's own responsibility has yet to be identified. If your Horizon project went so badly wrong, how can we have confidence that your other projects aren't broken? Then the follow-ups: what projects are there? How can we trust what you and your partners say about them? Let's see the evidence. The good thing about such questions is that they demand actual, enumerable answers. State IT procurement, like its corporate sibling, is normally hidden behind walls of denial, of "commercial confidentiality," or blame ping-pong. Unlike corporate procurement, there is a cast iron case for transparency in the public interest, but that case only takes flight with political will. The Horizon scandal has the potential to fire that up - if we ask the right questions. 

It goes further. This scandal is unique, not because Fujitsu is exceptionally bad - until the inquiry concludes, we won't know what Fujitsu is - but because its client, the Post Office, had the very unusual power to bring private criminal prosecutions. It used the threat and the actuality of that power to avoid the responsibilities of a failed project. Most of the story is banal, reiterating any organization's use of any and all options it has to bolster a cover-up, once it has decided to take that path. Indeed, digging in ever deeper until overwhelming cataclysm consumes all is the very stuff of tragedy. It's just in this case, the Post Office's digging tools included the Bagger 288.

• Home Office slams PNC tech team: 'Inadequate testing' of new code contributed to loss of 413,000 records
• A history of personal computing in 20 objects part 1
• UK.gov: You didn't trust us with your ID, so we gave it to private biz
• Fujitsu gets $1B market cap haircut after TV disaster drama airs

As the TV drama proves, great tragedy provides the power to make people care. Until Mr Bates vs The Post Office, plenty of people knew about the scandal, and sympathized, but - shrug - what can you do? That sense of an injustice too embedded to oppose is fractal, running from personal power relations at work through departmental inertia all the way to impermeable orbital command of the C-suite. It's a universal truth. Until it isn't. 

If ten people in Fujitsu stood up and said 'No, let's not do this,' or ten of their Post Office equivalents sent just one email, things would be different. It doesn't even have to be that dramatic - there are a thousand ways to say no constructively. But you have to have conversations first. The point of a good morality tale, which is where Horizon has become, is not to say 'Look at the bad people' but 'That could be us."

For those who work in IT building and selling the systems that run our lives, Fujitsu is a once in a generation opportunity to start those conversations, to demand answers and to offer determination that no, it won't be us.  Every byte we write that touches the world has consequences. Let's talk about that, for a change. ® 

Big bootnote incoming...

* The perversity, here, lies in the situation where "an organisation is allowed to act as a prosecutor when it is also the victim and the investigator of an alleged offence" – the very situation that prompted the Chair of the CCRC, Helen Pitcher, to write to the Chair of the Justice Committee back in June 2020 to ask if the committee would undertake a formal review of the circumstances and try to institute safeguards.

As Rupert Bowers KC and criminal barrister Tayyiba Bajwa point out, as does hefty mag for barristers Counsel, the Committee at the time made a number of recommendations, including that: "…the Government should urgently review funding arrangements for private prosecutions in order to address the inequality of access to the right; to ensure a fair balance between the prosecutor and the defendant; and to ensure the most cost-effective use of public funds…"

While the Post Office has maintained that everyone technically has the "power to bring private prosecutions," as the monthly the journal of the Bar of England and Wales noted, there is some historical precedent here with the "Post Office ... perhaps unique position as a private prosecutor, and it is that unique position that gave the CCRC the greatest cause for concern upon its referral to the Court of Appeal."

Pre-split with the Royal Mail, the Post Office had access to a wide pool of solicitors, who are amazingly the earliest known investigators / prosecutors in the world according to the Bar... dating back to 1683. Crucially, both RM and Post Office Ltd still have operational security and investigation teams. In 2021, the Criminal Cases Review Commission said the number of prosecutions brought by the Post Office was "startling" in its scale and supported its belief that organisations that bring "significant" numbers of private prosecutions should be subject to inspections.