Story: Risk Rolls Downhill - The Software Bug That Sent People to Prison

Summary of Story: Risk Rolls Downhill - The Software Bug That Sent People to Prison

by Adam Gordon Bell - Software Developer

54mOctober 2, 2025
Listen to Episode

Summary — "Risk Rolls Downhill — The Software Bug That Sent People to Prison"

Author/Host: Adam Gordon-Bell
Guest: Scott Darlington (former UK sub‑postmaster)

Overview

This episode recounts how a flawed nationwide Post Office counter system called Horizon (built in the 1990s, later maintained by Fujitsu) produced accounting errors that led to dozens of sub‑postmasters being accused, prosecuted, convicted, and in some cases ruined. Through Scott Darlington’s first‑hand story, the episode explores the technical bugs (replayed/double-posted messages, the "remming out" bug), institutional choices (all‑at‑once rollout, contractual incentives), and cultural failures (support scripts, secrecy about known errors) that shifted risk onto the least powerful people — the village postmasters.

Key points & main takeaways

  • Horizon was an offline-first point‑of‑sale/ledger system designed to queue transactions locally and sync later. That architectural choice introduced message replay, timeouts, retries and other distributed system failure modes.
  • Known software defects produced “ghost” transactions (double‑entries, phantom stamps or deposits) and mismatched bookkeeping even when cash in the drawer was correct.
    • Example bugs: “calendar square” (replayed transactions after frozen message queue), “remming out” (cash bag transfers recorded only once), many others logged internally by Fujitsu.
  • Fujitsu maintained internal known‑error logs and sometimes fixed ledgers remotely, but did not inform individual branches or the Post Office support teams broadly. Sub‑postmasters were not warned.
  • Post Office support followed scripts and contractual rules: if the computer’s ledger didn’t match the till, the branch was responsible to make up the shortfall. This policy treated software discrepancies as personal debts.
  • Risk and blame “rolled downhill”: the organization preferred to prosecute local operators rather than admit large IT project failure. This led to prosecutions and convictions (often for false accounting) of many sub‑postmasters.
  • Human consequences: Scott’s life was devastated — criminal conviction (pleaded guilty to avoid prison), suspended sentence, closed shop, heavy debt, damaged reputation, and years of hardship.
  • Later developments: public inquiry and media reporting exposed documents and Fujitsu internal logs. Litigation (2017–2019) led to a settlement for many, but those who pled guilty were excluded. As of 2024, political attention has moved toward overturning wrongful convictions and compensating victims — but progress has been slow.

Notable quotes / insights

  • Repeated framing line: “This story is about what it looks like in real life when software hurts somebody and the people in charge and the people building it aren't listening.”
  • “Risk rolls downhill.” — encapsulates the institutional tendency to push operational and financial risk onto frontline workers.
  • Technical analogy: double‑entry accounting compared to two‑phase commits / checksums — if one side never acknowledges a change, the system shouldn’t treat it as valid.
  • Cultural insight (via Patrick McKenzie / Patio11): “All systems reflect the culture they are created in” — procurement, contracts and incentives (not just code) determine outcomes.

Topics discussed

  • Scott Darlington’s background and motivation to become a sub‑postmaster
  • How day‑to‑day post office transactions and end‑of‑day balancing worked
  • Specific Horizon defects: message replay (“calendar square”), “remming out”, duplicated entries, frozen queues
  • Offline‑first architecture and distributed system failure modes (queueing, retries, replays)
  • Fujitsu’s internal handling of bugs and secrecy around known errors
  • Post Office support structure, contracts, and the practice of deducting shortages from sub‑postmasters’ pay
  • The prosecution process, how the Post Office had unique prosecution powers, and the legal outcomes for sub‑postmasters
  • Systemic and cultural causes of failure in large government IT projects
  • Whistleblowing, media coverage (Computer Weekly), public inquiry and later legal/political developments
  • Personal and social consequences for accused sub‑postmasters

Action items & recommendations

For organizations and software teams:

  • Treat integrity checks as non‑negotiable: implement strong double‑entry/atomic transaction guarantees and detect/reject incomplete operations rather than letting them silently mutate ledgers.
  • Design for observability and audit trails: log causality, retries, duplicated messages, operator actions and system freezes so issues are traceable.
  • Use staged/canary rollouts and monitor early: roll new critical systems into a small controlled subset (e.g., government‑operated branches) and investigate every discrepancy before mass rollout.
  • Maintain a duty of candor: share known errors with customers/operators and support teams; don’t hide internal bug lists that affect financial integrity.
  • Align contracts to share responsibility fairly — avoid contract language that shifts all operational risk to a frontline operator.
  • Encourage and protect whistleblowers; create channels to escalate reproducible system defects to engineering and independent audit.

For individuals (operators / frontline users):

  • Don’t blindly “force the period to roll over” if ledgers don’t match. Document everything: take photos/screenshots, record timestamps, write down exact actions and any error messages.
  • Escalate formally: request an official audit and raise the issue with your MP, regulator, or legal counsel if necessary.
  • If faced with deductions, get written confirmation and seek legal advice before accepting guilt or settlements.
  • Keep meticulous manual records (receipts, transaction lists) that can be used to dispute system records.

For policymakers & regulators:

  • Ensure independent oversight of critical financial systems used by citizens; require transparency about known defects and remediation practices.
  • Make prosecution decisions independent from the vendor-client relationship; avoid allowing vendor‑dominated processes to drive criminal charges.
  • Provide legal and financial support for individuals wrongly accused due to software failures, and establish fast pathways to overturn wrongful convictions.

Outcome & further context

  • The scandal triggered media investigations (Computer Weekly), a public inquiry, lawsuits (many succeeded), and growing political attention.
  • Compensation was paid to many postmasters, but those who pled guilty were initially excluded; efforts in 2024 aimed to overturn convictions and resolve outstanding injustices.
  • The episode is both a cautionary tale about large IT projects and a moral call for engineers, managers and institutions to take responsibility when software harms people.

Recommended follow‑ups (from the episode)

  • Read Scott Darlington’s book: Signed, Sealed, Destroyed (first‑hand account).
  • Watch dramatizations / investigative reporting such as “Mr. Bates vs. the Post Office” and coverage by Computer Weekly.
  • If you work on critical systems, review your architecture for replay/duplicate message risks and strengthen auditing & escalation processes.

If you want, I can convert this into a one‑page checklist for developers, a short script of actions for frontline operators who encounter ledger discrepancies, or a timeline of key events in the Horizon scandal. Which would be most useful?