1 Tuesday, 8 November 2022 2 (10.13 am) 3 MR STEVENS: Good morning, sir, can you see and hear me? 4 SIR WYN WILLIAMS: Yes, I can, thank you. 5 MR STEVENS: Please may I call Mr D'Alvarez. 6 SIR WYN WILLIAMS: Of course. 7 ALAN D'ALVAREZ (sworn) 8 Questioned by MR STEVENS 9 MR STEVENS: Please could you state your full name? 10 A. Alan George D'Alvarez. 11 Q. As you know, my name is Sam Stevens and I ask questions 12 on behalf of the Inquiry. Firstly, thank you very much 13 for giving evidence today. 14 You should have a witness statement in front of you, 15 which is dated 9 August 2022 and runs to 26 pages. Can 16 I ask you to turn to page 24 of that statement. Do you 17 see your signature there? 18 A. Yes. 19 Q. Are the contents of that statement true to the best of 20 your knowledge and belief? 21 A. To the best of my knowledge and belief, yes. 22 Q. Thank you. Your statement now stands as evidence in the 23 Inquiry. I'm going to ask you some questions but not on 24 all of the matters within it and I will start with your 25 professional background. 1 1 You joined ICL Pathway in March 1997 -- 2 A. Yes, I did. 3 Q. -- and that was to lead work on the security related 4 elements of the Horizon IT system? 5 A. The technical security, yes. 6 Q. You remain employed by Fujitsu as a programme executive 7 today? 8 A. Yes, I am. 9 Q. But I understand you do not current work with the 10 Horizon IT system? 11 A. No, I don't. 12 Q. Going back to March 1997, please could I ask you to 13 briefly summarise your relevant qualifications and 14 professional experience that made you suitable to lead 15 the technical security work on the Horizon IT system? 16 A. So my background from my previous employment, which is 17 in government for the Metropolitan Police Service, was 18 in programme project management and focusing on the 19 delivery of IT systems for the Met Police Service, 20 initially in payroll but from the National Strategy for 21 Police Information Systems, NSPIS, I was part of the 22 programme management team under change management in 23 respect of the OTIS programme, which is a networking 24 of -- secure networking of all the policing divisions 25 and territory -- territorial units and HQ, as a platform 2 1 for future policing solutions -- secure policing 2 solutions. 3 Q. You remained in that role until December 2000? 4 A. Yes. 5 Q. At that point in your statement, you say that you became 6 the application's delivery manager of the Post Office 7 account. Could you briefly summarise what that role 8 entailed? 9 A. Yes, that role -- and there is -- I'm reminded this 10 morning from a document that you have put in front of me 11 that it's slightly incorrect how I have explained that 12 role in my statement. In my statement, I said I was 13 responsible for all application infrastructure services. 14 There were two are units: application delivery and there 15 was infrastructure delivery. I was responsible for the 16 application delivery aspects. My next role was when 17 I had the joint responsibility. 18 Q. Could you just clarify what you mean by the "application 19 responsibility"? 20 A. The applications would be the business applications that 21 were being developed to support the initiative that Post 22 Office underwent, called ERA, which was to introduce new 23 products and services into the Post Office as offerings, 24 predominantly to replace the business that was lost 25 really, the demise of the Benefits Agency business that 3 1 went through the Post Office. 2 Q. Then in September 2002, you say that you were the 3 director of delivery for the Post Office account. 4 Again, please just briefly summarise those 5 responsibilities? 6 A. So those responsibilities were that I took overall 7 control of all the new developments, both application 8 and infrastructure developments that were to be deployed 9 on the Post Office Network. 10 Q. Then between June 2005 and May 2009 what were you 11 working on at that stage? 12 A. I was working on a number of projects and programmes 13 within Fujitsu. I did an assignment in the US working 14 with Cerner, who was the provider of the workflow 15 application for the NHS programme and to oversee the 16 redevelopment or the changes required on their system to 17 make it suitable for the UK health market. 18 From -- after that, I worked in an internal 19 programme to reorganise how the UKNI was structured 20 within Fujitsu and then I also worked on the warnings 21 index, rehousing into a secure data centre, so in 22 the Home Office we had the warnings index application. 23 We didn't have the infrastructure but the infrastructure 24 was held or housed within non-secure areas in the 25 authority and we took those into our secure data 4 1 centres. 2 Q. So during that period, you weren't working on the Post 3 Office account? 4 A. No, I then returned to the Post Office account in 2010. 5 Q. You say May 2009 in your statement. 6 A. Oh, it's May 2009, sorry, yes. 7 Q. Programme director of Horizon Online; is that right? 8 A. That's correct. 9 Q. Now, part of your evidence sets out your recollections 10 in respect of Horizon Online. I'm not going to be 11 asking you questions on that today. That will be dealt 12 with in Phase 3. I do want to go back to your role in 13 relation to security. 14 We don't need to bring it up but, in paragraph 8 of 15 your witness statement, you state that you were involved 16 only in the security aspects of the Horizon System and 17 any aspects of this statement relating to that period 18 are given on that basis, so, for example, you weren't 19 involved in the design of the EPOSS application? 20 A. No, I wasn't. 21 Q. In your statement, you say that when you joined the 22 Horizon IT project in March 1997 you carried out 23 an assessment to identify areas where ICL Pathway needed 24 to provide additional or different solutions relating to 25 security? 5 1 A. Yes, it was over a period of a number of months, so when 2 I started, the first thing I had to do was understand 3 the position as to what was contracted to be delivered, 4 understand where we were at with regard to that delivery 5 and to satisfy myself that what was being delivered 6 would actually meet the requirements that we had been 7 set. 8 Q. You specifically referred to two issues in your 9 statement. One is in relation to the contractual 10 obligations in respect of an access control policy -- 11 A. Yes. 12 Q. -- and the second is in respect of automated key 13 management systems? 14 A. The access control policy -- certainly, there were 15 elements were that was still being written and that 16 needed to be completed and there was areas that required 17 to be focused on to ensure that the access to the 18 solutions were both secure, robust. The key management 19 system, that evolved in as much as it wasn't a specific 20 requirement, but you it'd become evident that it was 21 required for operational reasons, both for Post Office 22 and also for ICL. 23 Q. My understanding of that is the original method, using 24 the Diffie-Hellman programme, was too cumbersome to role 25 out and so the proposition was an automated key 6 1 management system which would be easier to -- well, it 2 would require less resources when rolled out over 20,000 3 counters? 4 A. Yes, so the Diffie-Hellman exchange is expected to be 5 an automated exchange and what had been implemented was 6 a manual way of progressing an automated process, so it 7 was very cumbersome, it took a lot of time, so if 8 a postmaster had lost their postmaster memory card it 9 could take up to 30 minutes before they could actually 10 get access to the system again going through the process 11 they are required to go through manually, which was 12 inherently designed as an automated -- and we didn't 13 have that automated capability in place. 14 Q. That's what the automated KMS was designed to do -- 15 A. That's what it was designed to do. 16 Q. I want to look at both of those but I'm going to start 17 with the access issue and, firstly, talk about access as 18 a matter of generality. What do you understand if 19 someone were to use the term "remote access" in the 20 context of a IT project? 21 A. So remote access is where we give a facility for 22 an individual not to be present where the actual servers 23 containing the data, the databases, are located. So 24 they will generally have access across a link, which 25 back then wasn't as fast as it is now, but typically we 7 1 will put in something like an ISDN line or PSTN dial up, 2 where they would link remotely from a console. 3 But the actual data and the systems, which did the 4 processing of that data is in another location. So 5 remote is you have a console which is able to access 6 those systems that contain the data and process that 7 data. 8 Q. One of the issues that the Inquiry is looking into is 9 the ability for someone in a remote location to access 10 and edit data within the counter systems. Would you 11 consider that to be an example of remote access? 12 A. If that was permitted, that would be an example of 13 remote access, yes. 14 Q. If it wasn't permitted, what would it be? 15 A. It would be unauthorised access. 16 Q. Did you listen to the evidence of Anthony Oppenheim, 17 which was given to the Inquiry on 26 October 2022? 18 A. Yes, I did. 19 Q. He was asked questions about what's been termed as 20 "remote access" and the issue that I have just 21 described, and he said in evidence: 22 "What I can say is that any system you have, you 23 have to have some kin of third line ability to get into 24 systems and make changes." 25 Would you agree with that as a broad proposition? 8 1 A. Yes. 2 Q. Why? 3 A. Because computers and computer systems go wrong, data 4 can become corrupted and you need to have the ability to 5 correct that situation. 6 Q. So, in the context of Horizon, in order for third line 7 support to be able to provide effective support, did 8 they need to be able to write data into branch accounts? 9 A. No, not to my understanding and to what we delivered as 10 a secure system, no. 11 Q. Could you explain why that's your view? 12 A. Well, when I say to write data direct into the account, 13 we gave a -- there's -- we used the management system 14 for -- to manage the Riposte elements of the system and 15 the Riposte elements is a proprietary product, which is 16 the EPOSS system, and it consists of the application 17 that runs on the post office counter and also the 18 correspondence services where they harvest information 19 from all the post offices. 20 We used the Tivoli management capability console to 21 enable that the access to those systems were both 22 robust, ie it was audited, you can control access, you 23 can control what happens, and the solution that was put 24 in place was, firstly -- I don't believe you are able to 25 change the data on the system, so the system -- each of 9 1 the messages do have digital signatures, and that. 2 What you can do is amend the solution by injecting 3 new data to correct misbalances or miscalculations or 4 where there is data missing, and that would be entered 5 through the Tivoli management console. So it would go 6 through an audited and controlled technical entry but, 7 over that, you would have a procedure as to you could 8 only make such changes if you get -- there's a reason to 9 do it and there's an authority to do, and the authority 10 provided by the management, and the processes in that 11 area to make the changes. 12 So whether a person could directly go onto 13 a counter -- and the solution that we delivered they had 14 to go through a Tivoli management system, there would be 15 a remote management console that's provided to remote 16 users, and then there's a process to control how they 17 can deliver data through that system that goes then into 18 the Post Office. 19 Q. I'm going to explore that now and try to work through it 20 stage by stage, by reference to some of the documents 21 and, in your witness statement, you referred to two 22 I think contract control documents that describe the 23 technical security specifications of the Horizon IT 24 system, one of them is the access control policy and the 25 other is the security functional specification. 10 1 A. Yes. 2 Q. I want to turn to the second version of the access 3 control policy, please, and that's the reference 4 FUJ00087989. You should hopefully see that on screen 5 now. We see this is a document for general circulation, 6 including that it goes to Post Office Counters, from the 7 distribution list. Is it fair to say that the purpose 8 of the policy was to determine who had access to what 9 within the Horizon IT system? 10 A. That is correct. 11 Q. Did you have any input into this policy? 12 A. The policy -- I was the reviewer of the policy, so the 13 person that wrote the policy was Belinda Fairthorne, 14 that's the author there, so she is an access control 15 specialist within ICL, in secure access to systems 16 and -- 17 So she wrote it and I was part of the reviewing to 18 make sure that it -- so my role was to do a check that 19 all the systems that we used within the Horizon System 20 was controlled through this, ie it -- and all the users 21 that required access for whatever purpose, with the 22 exception of Post Office staff, were identified. 23 And we had a policy of what was called role based 24 access, so we would have a set of users which had 25 defined privileges that aligned to the responsibilities 11 1 of their role and it confined they could only do things 2 on the system that their role had responsibility for. 3 Q. Yes. I do want to come to that shortly but if we could 4 stay with this document for the time being and please 5 turn to page 13, and towards the bottom there should be 6 a diagram. Yes, thank you. 7 Now, this diagram here, on the left-hand side 8 there's a lined-off box which says "POCL and POCL Client 9 Domain". That, as I understand it, is the Post Office 10 backend servers which ICL wouldn't control? 11 A. That's correct. 12 Q. In the middle, we have something described as "Central 13 Services Domain", and this is something over which 14 ICL Pathway had control? 15 A. Correct. 16 Q. You have referred to it already, and we will come to it 17 again shortly, at the bottom, within "Central Services 18 Domain", we see the correspondence servers and that 19 would have held one of the Riposte message stores. 20 A. Yes. 21 Q. At the very bottom, that's described as the "Office 22 Platform Service" and that's essentially the post office 23 counter. 24 A. Yes. 25 Q. Now, the post office counter, that would be described as 12 1 a Windows NT work station -- 2 A. Correct. 3 Q. -- and that work station would run Horizon and, 4 obviously, we have heard would also have Riposte on it 5 to run. 6 A. The Riposte application, yes. 7 Q. Yes. I think you said this, but just to go through it 8 in stages, that is a message system used to recall data 9 into a message store of things such as transactions that 10 occurred in the branch? 11 A. Yes, I think it's more accurate to say that Riposte was 12 an Electronic Point of Sale System that was very focused 13 on a postal-type service, so they developed a system 14 that was very geared towards the postal-type trade that 15 went across the -- within a post office, stamps, 16 et cetera, so -- but Riposte, I would step back and say 17 that's an Electronic Point of Sale System but was 18 designed specifically for use in postal services around 19 the world and was in use in other countries. 20 Q. But it would do that by having a local message store in 21 the branch -- 22 A. Yes. 23 Q. -- and, to that message store, transactions -- I'm 24 paraphrasing here but transactions would be recorded. 25 A. Yes, all transactions that went through the system, 13 1 whether successful or failed, will be recorded on that 2 system. 3 Q. The design was such that, once a transaction was logged 4 to the message store in the post office counter, it 5 would then be transmitted to Riposte in the 6 correspondence server. 7 A. Yes, it would be harvested overnight in batches and then 8 the Riposte central servers would take all of the 9 batches from each of the post offices and start to put 10 those into a larger file for onward reporting. 11 Q. From your view, could a message be sent the other way, 12 so from the correspondence server to write to the 13 message store on the counter? 14 A. Yes, for the Tivoli management, yes. It is designed to 15 do that. 16 Q. Please can we briefly switch documents to FUJ00088002. 17 Now, this is the other document that I referred to 18 earlier and which you referred to in your witness 19 statement. It's the "Security Functional Specification" 20 and this is essentially to describe the technical 21 features of the security functionality of the 22 Horizon System. 23 A. Yes. 24 Q. Please can we turn to page 34 of that document and, if 25 we could go down to 4.6., thank you. So this, just for 14 1 context here is describing Riposte, which we have been 2 discussing. 3 If we could go over the page to 4.6.2, you see it 4 describes the Riposte messages and the various types of 5 information that can be included. In the paragraph 6 that's at the bottom of the screen now, the last 7 sentence says: 8 "Only Riposte can [access] messages and the message 9 store is protected using Windows NT Access Control 10 Lists." 11 Those access control lists, are those the group 12 definitions or is it referring to the group definitions 13 to which you were referring earlier, namely you ascribe 14 a certain group certain permissions to access certain 15 parts of the system? 16 A. That is correct. 17 Q. Please could I ask to turn the page on this document to 18 where it -- thank you. 19 This describes "Riposte Message Servers" and the 20 first sentence says: 21 "A Riposte Message Server is, typically, a Windows 22 NT workstation or NT Server running the Riposte 23 services." 24 So we said earlier that the counter was a Windows NT 25 workstation, that's correct? 15 1 A. That's correct. 2 Q. So for the purposes of Riposte, the counter is described 3 as a Riposte message server? 4 A. (The witness nodded) 5 Q. You're nodding. 6 A. Yes, yes. 7 Q. Thank you. If we could, please, go back to the second 8 version of the access control policy, that's 9 FUJ00087989, and page 80, please. As I said, I took you 10 to this document earlier, it's the access control 11 policy, version 2, and this describes the "System 12 Management and Support Services Domain". I think from 13 that it's clear but, just to put it to you: that would 14 include things such as the SMC and the SSC offering 15 second and third line support? 16 A. Yes, correct. 17 Q. Please could we turn the page and there should be 18 a diagram at the top, if we could have that in view. 19 Thank you. So moving from the left here this says 20 "[Post Office] Counters, CFM, etc", makes a call to the 21 Horizon System helpdesk, which is then transferred on to 22 the SMC. 23 In the middle, three diagrams down, there's what 24 looks to be someone sitting in a chair and it says "SMC" 25 with a line going to the right and "SSC, etc". Do 16 1 I take it from that that this is describing, or this 2 diagram is showing, access ways for both the SMC and the 3 SSC? 4 A. That's correct, so the SMC would have direct access to 5 the Tivoli management console. The SSC will have remote 6 access but not with the same privileges as the SMC. 7 Q. So, at this stage, with this diagram, please, could you 8 just give a broad outline, bearing in mind to try to 9 make this as non-technical as possible, as to what the 10 Tivoli access system was? 11 A. So Tivoli is a management system where it is able to 12 control the software and the -- what is contained within 13 the various service and applications within the Pathway 14 and the Horizon solutions. So if we wanted to put a new 15 piece of software or we wanted to inject anything onto 16 that system for reference data, and it would go through 17 the Tivoli management system. 18 It would also have a full audit trail, an event 19 audit as to what actions were taken by which role and 20 which person that logged on under that role, which 21 actions they took, to have a full inventory of auditing, 22 whether it's machine or whether it's a human actions, 23 what happened on that system. So if a change was made 24 on a system, it can actually determine what made that 25 change from a -- you know, from an access perspective. 17 1 It's also used to get events and that, so all 2 systems will write events as to when a -- if a failure 3 occurs, it writes a failure event. If access occurs, it 4 writes an access event and it will harvest those events 5 that's captured by all the various systems and have it 6 available. So if there's an issue someone can retrieve 7 those events to look to diagnose what that issue is as 8 well. 9 So it's used for diagnostic -- to provide 10 information for diagnostic purposes and that's -- 11 primarily what the SSC would get from those systems is 12 information to help them understand, if they have a call 13 with an issue, as to why that issue might be occurring. 14 Q. So just so we can break that into components then, so 15 one use was to monitor events that are generated in the 16 Horizon IT system -- 17 A. To capture the events. 18 Q. -- to capture the events -- such that the support 19 services can say "Hang on, something has gone wrong here 20 we need to investigate"? 21 A. Correct. 22 Q. That was one use of Tivoli. Another use of Tivoli, 23 I think you may have said -- it is referred to in the 24 documents, but just so we are clear -- it is right, is 25 it, that Tivoli could extract data from servers and 18 1 branch computers? 2 A. I would have to default to the technical people on that 3 as to precisely what it could and could not do but, 4 certainly, it was used to distribute changes onto any of 5 the systems and to record that distribution. 6 Q. So that's the third one, and when we say changes onto 7 the system, does that include if someone wanted to 8 insert data into branch accounts? 9 A. I'm not aware to the details of what they can and cannot 10 do. My awareness was it was used primarily for the 11 software inventory management, so -- and reference 12 inventory management, so we had a record of what 13 software was being used where, it was the appropriate 14 level of software and, also, what reference data was 15 used as well to drive that software. 16 I -- within the actual depths of Tivoli, the 17 technical people would know what could and could not be 18 done, but my understanding -- and it's not through my 19 knowledge of how it works because I wasn't in that part 20 of the solution, but my understanding was that messages 21 are controlled via the Riposte application and, 22 therefore, you would need access to Riposte application 23 to be able to generate a message. 24 Q. Could you please turn to page 96, and further down there 25 should be 9.7, if we may go there, please. Thank you. 19 1 This is just to orientate ourselves that this part is 2 for "Application Support". 3 Over the page, there should be a diagram at the top 4 and here we have at the top a diagram showing the SSC 5 with their network and the line that goes down to the 6 bottom saying "Pathway Data Centre", there's a box that 7 says "Data Centre Systems with applications, middleware" 8 is that referring to the central services domain with 9 the correspondence server that we -- 10 A. Yes, it is. 11 Q. Please could we turn over the page to page 98 and the 12 heading 9.7.2. Thank you -- sorry, it's going to be 13 9.7.3, my apologies. 14 This says that: 15 "All application support users access Data Centre 16 systems via secure NT workstations as described above. 17 SSC, CFM and Oracle support staff access the Data Centre 18 from other sites and may need to see DSS data. 19 Therefore all these support users should authenticate 20 using tokens." 21 At the bottom, it says: 22 "No application support users have access to Post 23 Office counter systems -- errors here are diagnosed 24 using logs of events extracted via Tivoli." 25 So is that your understanding of how the system 20 1 should have operated at that point, that -- 2 A. Yes. 3 Q. Does that mean that the SSC should not have been able to 4 access counter systems? 5 A. Not within the -- correct, not -- correct, yes. 6 Q. A slightly different point though is: does that mean 7 that the SSC shouldn't have been able to insert data 8 into branch accounts through Riposte? 9 A. So all changes would need to go through the Tivoli 10 management console, the Tivoli system and, therefore, it 11 needs to be authorised and auditable. 12 As I said previously, I'm not aware of the depths of 13 what changes were. I was more on the software -- 14 software levels and reference data -- reference data 15 changes. Whether -- and, again, it's only 16 an understanding, not through knowledge or ownership of 17 that knowledge, that my understanding was only Riposte 18 could inject messages into Riposte cash accounts. 19 Q. I would like to move to the third version of this access 20 control policy and that's FUJ00087993. Thank you. 21 We see the date at the top right is 22 18 December 1998, version 3. 23 A. Mm-hm. 24 Q. Again, you're on the distribution list of this. Did you 25 remain a reviewer? 21 1 A. Yes, although probably -- no, probably distribution by 2 that time. 3 Q. If not formally a reviewer, would you have had any input 4 into the decisions or the changes that went into it? 5 A. It would be part of the group that made sure that what 6 was in that was appropriate, correct. 7 Q. Please could we turn to page 89 of this document. 8 Again, this is just to orientate ourselves, but we're 9 back with "System Management Services Domain", this time 10 under heading 8, or number 8, but this, again, refers to 11 support services such as the SSC, doesn't it? 12 A. Yes. 13 Q. Please could we turn to the bottom of page 108. Again, 14 this is -- because the numbering has changed, just for 15 context, 8.7 we're dealing with "Application Support", 16 which we went to previously. 17 Could I then please ask to turn to page 110. If we 18 could go down -- preferably to keep 8.7.2 and 8.7.3, if 19 that's possible. Thank you. 20 Under 8.7.2, it says: 21 "Application support roles are included in the 22 relevant sections of the ACP. There are two main 23 application support roles (for SSC and CFM) ..." 24 Bullet point 1: 25 "Application support users diagnose problems and 22 1 have read only access to the main Pathway systems." 2 Bullet point 2: 3 "Application support managers can also correct data 4 under controlled conditions -- see 8.7.3." 5 If we can go down to that in full now, please -- 6 thank you -- that says: 7 "All application support users access Data Centre 8 systems via secure NT workstations as described above. 9 Some may need to see DSS data. Therefore all these 10 support users should authenticate using tokens." 11 Skipping a paragraph: 12 "Where update access is to code, and time permits, 13 correction of errors is by reissue of a new version of 14 the software via the Configuration management system. 15 When faster fixing is required, software updates may be 16 made by CFM (operational management role) directly after 17 a request by SSC, subject to agreed Pathway 18 authorisation procedures." 19 Stopping there, could you expand on what this 20 paragraph means? 21 A. So it means, again, for our Tivoli management system, we 22 are able to download into the system additional packages 23 and that, so that clearly states that part of the 24 ability of those downloads would be to inject additional 25 data. 23 1 Q. Can we turn the page, please, thank you. It says: 2 "In certain agreed circumstances, there is a need to 3 correct data which has been corrupted by faulty code." 4 Now, stopping there, your understanding -- what data 5 was this referring to? 6 A. My understanding of that would be transactional data 7 recorded, would be my understanding of that. 8 Q. Where would that transactional data be recorded? 9 A. On the correspondence servers. 10 Q. Would it be recorded in the branch accounts as well? 11 A. The branch -- it would have been harvested from the 12 branch counters. 13 Q. "Such corrections are made only by the application 14 support manager, and are subject to agreed authorisation 15 procedures." 16 We can skip the next sentence: 17 "In all cases, updates to code or data by 18 application support staff require two staff to be 19 present when the change is made and all such changes to 20 be audited, identifying what has been changed (before 21 and after values) and the individual who made the 22 change." 23 Now, my understanding of what you said earlier was 24 that, when using the Tivoli system, that access gateway 25 in itself audited all changes that were made to the 24 1 system? 2 A. Yes. 3 Q. So this second paragraph here, because it states that 4 two members of support staff are required and the 5 changes must be audited, does that mean that this was 6 referring to changes made outside of the Tivoli system? 7 A. I cannot comment on that, but they were robust, so the 8 person that would -- so we had CISO, a chief information 9 security officer, who was responsible for all 10 operational security, and that's Barry Procter, and he 11 would ensure that there were processes in place because 12 all protection of systems and that are a combination of 13 technical, procedural and physical protection. 14 And he was ensuring -- well, he was accountable for 15 ensuring that the process -- I could read that in two 16 ways. I could read that that is a second confirmation 17 that, before undertaking the actions, that there is the 18 proper authority and, therefore, there are two persons 19 to make sure that the actions undertaken are correct -- 20 we call it, in the industry, "four eyes", ie the person 21 undertaking the correction, it gets the authority and 22 they are watched by another person to make sure that 23 what they are actually implementing into the system is 24 as per what that authority says. So if there's a typo 25 that will be picked up, for example. 25 1 And that will be a procedural control and it could 2 be viewed -- and it's a long time ago now, but it could 3 be viewed that it was because of the nature that you 4 actually -- you're putting data into the system that 5 corrects what was previously there -- not replace but 6 corrects, or if there's something missing to insert that 7 data -- that they wanted to ensure that it was done -- 8 it was authorised and it was done correctly because, 9 again, the Tivoli system would have had a record of 10 what's done but the reason and why it was done, the 11 Tivoli would not have that, and that process would 12 assure that that person had the right authorities and 13 the right reason to make that change. 14 So the technical solution could only just say who 15 done what when, it could not say why. So just looking 16 at that and going back, there is a number of additional 17 procedures put in place by Barry Procter to assure that, 18 if anything on the system was done in certain sensitive 19 areas, there was a process around it which made sure 20 that what was done was properly authorised and how that 21 was enacted onto the system was correct. 22 Q. So I'm taking it that's your reading of this now, but 23 the question I asked was: would the changes referred to 24 here be made outside of the Tivoli system; as a matter 25 of fact, do you know that? 26 1 A. I wouldn't have expected it to but I would have to, 2 again, remind myself and the security functional 3 specification because that would have the actual 4 technical components that allowed that access and, from 5 my recollection, it's the Tivoli system that we managed 6 access and changed to the Riposte elements of the 7 system. 8 Q. We still have the line -- the sentence, sorry: 9 "No application support users have access to Post 10 Office counter systems -- errors here are diagnosed 11 using logs of events extracted via Tivoli." 12 There has been a change between these two policies 13 here referring to data correction. Do you have any 14 knowledge of the discussions that led to the inclusion 15 of these paragraphs regarding the correction of data? 16 A. I don't recall that, no. 17 Q. Can we please then turn to the group definitions 18 document. It is FUJ00087994. Now, this document is 19 dated 22 December 1998, and it's -- 20 I think if we just go down slightly, sorry. 21 It is authored by you; is that correct? 22 A. Yes, that's correct. 23 Q. It says "Group Definitions for the Secure NT Build". If 24 we turn to page 5, please, it sets the purpose of the 25 document and, in summary, is it fair to say that this 27 1 was to define the access rights of various groups to the 2 various domains, such as central services and the post 3 office counters? 4 A. Yes, and the purpose of the document was to be able to 5 give to the technical teams sufficient information so 6 they implemented the policy correctly, because the 7 policy is at a relatively high level and, therefore, 8 they needed additional information as to how to 9 implement that policy into the technical solution. 10 Q. In the second paragraph, under number 3, it says: 11 "It should be noted that the Pathway solution has 12 moved on since Version 2 of the ACP was issued and, as 13 such, the Groups defined at Appendix A do not always 14 correlate with the roles defined in [ACP]. This will be 15 addressed by feeding these role definitions into the 16 current review of the ACP which will be subject to a CP 17 once all necessary changes have been agreed." 18 We went to the access control policy earlier, which 19 was, I think, 18 December, so a few days before this was 20 drafted. 21 A. Yes. 22 Q. When you drafted this, do you remember if you were up to 23 speed with the likely changes that were to be made to 24 version 3 of the access control policy? 25 A. I would have needed to have been to create this 28 1 document, yes. 2 Q. Please can we turn to page 9. I think we will need to 3 flip this. Oh, no, it is already done. Thank you. 4 This is a table later on in this, which in my 5 understanding, is that this sets out the various groups 6 and the various privileges that they had; is that 7 correct? 8 A. That's correct. 9 Q. On the left there, it says "Group Name to be 10 implemented", "SSC", "SSC Apps MAN", is that SSC 11 management? 12 A. Yes, application management. 13 Q. Thank you. Looking at the tools on the second column 14 the Tivoli remote console, is that the Tivoli system you 15 were discussing earlier? 16 A. That's correct. 17 Q. I think it's three down, there's one called "Rclient". 18 Do you recall what this tool did? 19 A. No. It was a remote client so -- but what that client 20 actually did, I would imagine it would be something that 21 showed a visual view of what Riposte system was, but 22 that would be my assumption. 23 Q. Would you have known at the time? 24 A. So much of this was derived from the technical people, 25 so Glenn Stevens was the Tivoli person, so he was the 29 1 one that technically would tell me the makeup of 2 a remote console and the Tivoli management system. So 3 I would have got that information from him. 4 Q. Would you have known what access or privileges that tool 5 allowed a person using it to have? 6 A. I would like to have thought so at the time, but now 7 I can't remember. 8 Q. If we go further down, there's a series of tools 9 referred to with Riposte first. It is fair to say these 10 must be related to the Riposte system. Just over 11 halfway down, there's one called 12 "RipostePutMessage.exe". Do you know what that tool was 13 for? 14 A. From recollection, I can't be certain, but I could 15 hazard that that would be to enable a message to be 16 added into the Riposte system. 17 Q. Could it be insert a message with transaction data in 18 it? 19 A. Yes, if it was a Riposte message, yes. 20 Q. In the third column, it says "NT Servers", and below it 21 says "All Servers". Would this mean that -- would "All 22 Servers" include the counters? 23 A. Yes. 24 Q. In "Access rights", in the fourth column, it says 25 "Read/Write/Execute". 30 1 A. Yes. 2 Q. So, just to go through, that means that the SSC 3 management had writing privileges to all servers, 4 including the post office counters, using the tool 5 called "RipostePutMessage"? 6 A. Yes. 7 Q. So from that, is it right that the SSC could insert data 8 into a branch account directly? 9 A. From my recollection, it would be through the 10 correspondence servers, from my recollection. I see 11 "All Servers" there and "All Servers" would also include 12 the servers that's at the post office counter but, from 13 my recollection, it was through the correspondence 14 servers where it was harvested. 15 Q. When security tests were run to test whether or not the 16 final product was secure and to specification, would 17 those people testing the system have had this document? 18 A. Yes, they would have. 19 Q. So, if they were testing it, reading this, would they 20 be -- do you think they would be under the impression 21 that there could be the direct right for SSC apps 22 management to write transaction data into the branch 23 accounts? 24 A. Potentially, but they would also have access to the 25 design documentation for those particular modules, so 31 1 they would have knowledge as to what those modules would 2 allow and how it would allow it to happen, and they 3 would enable that for their test analysis and also to 4 write the test script to actually enact the test that 5 we're enabling what's allowable and not enabling what's 6 not allowable under the policy. 7 Q. What we have just come to from this document, isn't that 8 inconsistent with what's said in the access control 9 policy, that there shouldn't be direct access to the 10 counters? 11 A. If that's what is meant in this document, yes, but, as 12 I say, my understanding at the time was access was 13 through the correspondence servers and that's where any 14 corrections was made, was my understanding, but that's 15 my memory. 16 Q. Thank you. Do you have any knowledge of how the 17 RipostePutMessage.exe tool, if it was used, would be 18 audited -- its use would be audited? 19 A. The use of all tools would be audited through the 20 Riposte management console -- sorry, the Tivoli 21 management console. So this would go on to the Riposte 22 client and that would go through the remote console and 23 that would be able to audit what tools were being used 24 by what person. 25 Q. Are these not separate tools? 32 1 A. These are tools that were within the same work station 2 and the Tivoli management console would be the overall 3 kind of framework for which actions were undertaken. 4 Q. Earlier in your evidence, when I was talking about the 5 Tivoli remote console and whether it could be used to 6 insert messages or transaction information into branch 7 accounts, did you not say that that was handled by 8 Riposte? 9 A. It is handled by Riposte, yes. So it's a separate tool 10 set, yes. 11 Q. So, in which case, if it's a separate tool set, is it 12 right that it wouldn't be subject to the same audit 13 requirements -- sorry, the same audit process that the 14 Tivoli remote console offers? 15 A. Potentially, but it will have its own auditing 16 capability. 17 Q. Do you know what that was? 18 A. Not from memory, no. 19 Q. Please could I now turn to page 7. There's a group name 20 on the left, first one, "ICL Outsourcing, Application 21 SUP", could you just help us with what that refers to? 22 A. That will be application support. 23 Q. Who were application support? 24 A. I believe but, again, I'm just trying -- that that would 25 be the second line up in -- there was a -- probably SMC, 33 1 but, at this stage, I can't -- 2 Q. Can't recall? 3 A. I can't recall. 4 Q. Thank you. In terms of audit data, are you aware 5 personally of any audit data that was captured which may 6 record key strokes made by a subpostmaster on the EPOSS 7 system? 8 A. No. 9 Q. Are you aware if there was any system put in place to 10 notify a subpostmaster when changes had been made -- 11 when or if changes had been made or transactions 12 inserted into the branch accounts? 13 A. No. 14 Q. Please can we turn to page 6. This describes the "NT 15 Administrator User", and it says: 16 "The Windows NT operating system is provided with 17 a super user known as the 'Administrator'. This user 18 has full administration and configuration privileges 19 which is exercised at both system/server and domain 20 level. This capability cannot be removed from 21 Windows NT. Pathway recognises the power that this user 22 has and the ability that a human user, using the 23 administrator user, has to interfere with the day-to-day 24 operation of the Pathway solution. 25 "To address this issue, Pathway will limit and 34 1 restrict the use of the NT Administrator User. This 2 will be achieved by: 3 "Renaming the Administrator User on all NT Servers 4 so that it is hidden from the system. The account name 5 and password will be specified by the Pathway Security 6 Manager, which will be strictly controlled and stored in 7 a secure safe. 8 "Restrict full administrator privileges to the 9 'Operational Management' role. Use of this role will be 10 subject to the management and procedural controls set 11 out in the 'Pathway Code of Practice' ..." 12 Just, in lay terms, could you please explain the 13 problem that's identified here. 14 A. So every system will have -- will create the -- would 15 enable -- well, so every system that we use in computing 16 always has the ability to enable its recovery from the 17 most extreme of failures and that requires people to go 18 into the system with privileges, which enable them to 19 effectively manipulate the application for whatever 20 reasons it is required to manipulate the application. 21 So on a Windows NT, it's a -- or any Windows device 22 it's called an "Administrator", so they can make changes 23 and that with higher privileges they have to make 24 changes to be able to access the system where people 25 have lost passwords or whether something is 35 1 non-recoverable, they're able to get into the depths of 2 the system. 3 With Oracle systems, it is called "Root User". 4 All systems have this and, sometimes, it will be 5 necessary if there's a fatal error that someone would 6 need those privileges to recover from the fatal error. 7 So Barry Procter who is the security manager, the 8 control that he put in place was he controlled the 9 passwords for those and those passwords were locked in 10 a safe. If -- there were certain authorised people that 11 could access that safe and that would be -- there were 12 manual controls where they would have to log in and log 13 out and when they used that password, because they have 14 to get authorisation to use it from the security manager 15 or the deputy. When they use that password, after using 16 that, Barry Procter or other security manager will reset 17 that password so it cannot be reused again. Again, that 18 goes under the secure processes. 19 So it is recognised that, on all computer systems, 20 there may be a requirement to be able to access the 21 system and have, effectively, privileges to make 22 whatever changes into that system as required to get it 23 going again. So, with regard to the NT system, it would 24 have access to things like audit logs as well, so it 25 would be able to, if misused, remove audit trails, 36 1 et cetera, of activities that have happened on this 2 system. 3 Q. Using this function -- so that's the audit logs. Using 4 this function, would a user be able to access the 5 message store? 6 A. They would be able to access the message store. They 7 would not be able to make changes without going through 8 Riposte. 9 Q. The security systems you have described, in terms of 10 hiding the -- essentially, taking the password away from 11 general circulation, save for when someone requested it 12 from Mr Procter, that was a human-based system, in that 13 it required Mr Procter -- 14 A. That's procedural. Well, he would delegate it down to 15 management layers and that would be set out in 16 PA/Standard/010 Code of Practice. 17 Q. Apologies if you said that in your answer but, just so 18 we're clear, could a remote user use the -- log in and 19 use this administrator feature, if they had the 20 password? 21 A. Yes. 22 MR STEVENS: Sir, if I may just take one more point before 23 a break, it will take me to the end of this theme. 24 SIR WYN WILLIAMS: Yes, of course. 25 MR STEVENS: Thank you. Please could I ask to turn up 37 1 FUJ00088036. 2 Now, this is a document you referred to earlier 3 having seen this morning, dated 2 August 2002. It's 4 a "Secure Support System Outline Design". Please could 5 we turn to page 9 of that document. 6 It says the SFS, which is the security functional 7 specification: 8 "... mandates the use of Tivoli Remote Console ... 9 for the remote administration of Data Centre platforms. 10 This records an auditable trail of log-ins to all boxes 11 accessed by the user. It is a matter of considerable 12 discussion and correspondence that TRC is slow and 13 difficult to administer. This has led over time to 14 BOC ..." 15 I think that's Belfast Operation Centre, is it? 16 A. Yes. 17 Q. "... to BOC personnel relying heavily on the use of 18 unauthorised tools (predominantly Rclient) to remotely 19 administer the live estate." 20 Now, pausing there, having seen that, do you recall 21 what Rclient did or could do? 22 A. Not on seeing that, no. 23 Q. "Its use is fundamental for the checking of errors. The 24 tool does not however record individual user access to 25 systems but simply record events on the remote box that 38 1 Administrator access has been used. No other 2 information is provided including success/fail so it is 3 not possible to simply audit failures. The use of such 4 techniques puts Pathway in contravention of contractual 5 undertakings to the Post Office. 6 "... the proposals in this [document] have been ..." 7 Sorry: 8 "After the proposals in this [document] have been 9 implemented a CP will be raised to phase out TRC (or 10 limit its use to exceptional situations)." 11 I don't want to ask you about that tool or what 12 happened going forward, but I do want to turn to 13 page 15. Thank you. 14 If we could get all of 4.3.2 in. Thank you. 15 This refers to "Third line and operational support" 16 and this would include the SSC, wouldn't it? 17 A. Yes. 18 Q. It says: 19 "All support access to the Horizon systems is from 20 physically secure areas. Individuals involved in the 21 support process undergo more frequent security vetting 22 checks. Other than the above controls are vested in 23 manual procedures, requiring managerial sign off 24 controlling access to post office counters where update 25 of data is required. Otherwise third line support has: 39 1 "Unrestricted and unaudited privileged access 2 (system admin) to all systems including post office 3 counter PCs; 4 "The ability to distribute diagnostic information 5 outside of the secure environment; this information can 6 include personal data (as defined by the Data Protection 7 Act), business sensitive data and cryptographic key 8 information. 9 "The current support practices were developed on 10 a needs must basis; third line support diagnosticians 11 had no alternative other than to adopt the approach 12 taken given the need to support the deployed Horizon 13 solution." 14 Now, it is fair to say that that is entirely against 15 what the access control policy says should happen; do 16 you agree? 17 A. I agree. 18 Q. Do you know how it was that the SSC were able to get 19 such access to post office counters' systems? 20 A. I have no knowledge, no. 21 Q. Do you know why testing didn't pick that up? 22 A. We would have tested the solution that was designed to 23 be implemented and that's not part of our design or 24 implementation, so if they had tools that were not part 25 of our solution, we would not have had that in our test 40 1 environment. 2 Q. We saw earlier -- we went to Rclient. That was in the 3 group definitions. 4 A. Yes. 5 Q. Isn't the purpose of the security testing to ensure that 6 the requirements of the access policy are met in the 7 system? 8 A. Yes. 9 Q. So isn't this exactly what the testing is going to -- 10 this is what the testing should find out, basically, 11 whether or not SSC had this access? 12 A. It would -- it would determine what console had what 13 access. Who had access to what console was then 14 procedural. So if it was on the SSC console, yes. 15 Q. Do you have any knowledge of how the SSC developed the 16 use of these -- I will just call them access pathways to 17 Post Office Counters? 18 A. No. 19 MR STEVENS: Sir, I think that's a good time to pause, as 20 I will be moving on to another topic? 21 SIR WYN WILLIAMS: Yes, that's fine. Thank you very much, 22 Mr Stevens. 11.30 all right? 23 MR STEVENS: Yes, sir, thank you. 24 SIR WYN WILLIAMS: Fine. 25 (11.16 am) 41 1 (A short break) 2 (11.29 am) 3 MR STEVENS: Sir, can you see and hear me? 4 SIR WYN WILLIAMS: Yes, I can, thank you. 5 MR STEVENS: I want to move on to some aspects of design and 6 testing. In your witness statement, you refer to 7 a "Jeremy Fawkes" and that's spelled F-A-W-K-E-S. The 8 Inquiry has received evidence from Jeremy Folkes spelled 9 F-O-L-K-E-S. I just want to check those are the same 10 people you're referring to? 11 A. Yes. 12 Q. Did you listen to Mr Folkes' evidence earlier -- last 13 week, sorry? 14 A. No. 15 Q. I would like to turn up his witness statement and that 16 is WITN05970100. If we could go to paragraph 84 on 17 page 28, what he says there is: 18 "... except in areas where we had an explicit right 19 in the Contract to a document (such as the [Security 20 Functional Specification]), we only had limited or 21 partial visibility of the emerging Pathway systems, or 22 of their design/development approach. This meant that 23 we could not gain confidence of what Pathway were 24 creating (or its suitability or fitness for purpose), or 25 have confidence in how Pathway were developing (and 42 1 therefore what Quality mechanisms were in place)." 2 In your view, does that represent a fair position 3 between Post Office Counters and Pathway in 1999? 4 A. So my recollection in 1999 was they had no formal 5 reviewing rights to the technical design documentation. 6 However, from my perspective and in the security, 7 I encouraged -- well, myself and I encouraged my team to 8 ensure that we -- 9 MR STEVENS: Sir, I'm sorry -- sorry to interrupt you -- it 10 sounds like the transcript has stopped. So if you could 11 just pause there. We will just investigate how long it 12 will take. 13 Sorry, sir, I think we will need five minutes to 14 resolve it. 15 SIR WYN WILLIAMS: All right, I will stay close to the 16 screen but I will go off screen, so just let me know 17 when you are ready to start, all right? 18 MR STEVENS: Thank you. 19 (Pause) 20 Sir, can you hear me now? 21 SIR WYN WILLIAMS: I can and I'm coming back. 22 MR STEVENS: Thank you, sir. As quickly as it went off, it 23 came back on. 24 SIR WYN WILLIAMS: Yes. 25 MR STEVENS: I apologise, I interrupted you for the 43 1 transcript. 2 The question I had asked was whether you thought 3 that Mr Folkes' summary of the situation regarding 4 visibility to documents for Post Office was a fair one 5 and you were giving your answer. 6 A. Yes, so from a point of policy with technical design 7 documents, the Post Office were not formal reviewers. 8 However, in a number of -- in my area, I certainly 9 worked closely both with Jeremy, and formerly with 10 Gareth Lewis, because from my recollection Jeremy had 11 a -- well, he was with Gareth within the security unit, 12 but I think he had a wider role as well. 13 And it was important because, from my perspective, 14 when I come into the account, I was advised that 15 security -- or where we were with regard to delivering 16 the security product and my focus was very much on the 17 cryptographic products, and that sort of stuff -- were 18 one of the reasons that we were limiting our ability to 19 deploy, not the only reason but one of the reasons. 20 So, for example, there was a number of documents, 21 particularly management design, we were quite open with, 22 so in his team he had a couple of people that he 23 assigned to oversee the testing, security testing and 24 things. And, certainly, I had no objection to him 25 looking at things like the technical environment 44 1 descriptions, the key management system designs and 2 that, and he did comment and feedback some very useful 3 information in those areas but, as a formal reviewer, 4 no, they didn't have those rights. 5 Q. So your evidence is that you would show to Post 6 Office -- the people you dealt with at the Post 7 Office -- technical documents? 8 A. Where appropriate, yes. 9 Q. Is there any documentation -- have you seen any 10 documentation that shows you sending the documents to 11 Post Office? 12 A. I -- when you say "send" the document, certainly we had 13 meetings to review. Certainly, we -- we certainly sent 14 the technical primary description. We certainly had 15 meetings with regard to the KMS and random number 16 generated, et cetera, where we needed his input or his 17 thoughts -- I say "input", we wanted to assure ourselves 18 that the direction we were taking would be acceptable to 19 the authority. 20 Q. So is it that you would have meetings where you would 21 discuss the matters? 22 A. Yes. 23 Q. But would you -- just to clarify, would you formally 24 send the documents to Post Office Counters? 25 A. I wouldn't formally myself send them, no, because all 45 1 correspondence would go through our (unclear) on 2 a formal -- 3 Q. Mr Folkes goes on to say: 4 "One specific gap was any access to Software Quality 5 information or metrics, such as number of bugs found in 6 testing or the amount of rework being done, both of 7 which are good indicators as to the stability or 8 maturity of a product." 9 Again, do you consider that to be a fair reflection 10 at the time? 11 A. At that time, I only had responsibility for the security 12 testing team and they had two people which they assigned 13 from the authority. I forget their names -- one was 14 called Clifford, but I forget their names, and we would 15 have reviews and they would actually base themselves for 16 periods of time each week where our security testing 17 were located, so they weren't restricted from that area. 18 And we would have conversations, but I would be very 19 keen to get their view with regard to the business 20 impact aspects of any defects that we had because, with 21 any software system, there could be defects, there's 22 a balance between risk and time, so that you -- very 23 rarely would you see a system go live with no defects, 24 and I wanted to ensure that the defects we were focusing 25 the teams on fixing were those that would be deemed of 46 1 sufficient priority, you know, within the Post Office, 2 if we didn't fix it, it would stop us going live. 3 So we did have discussions and we had triage 4 sessions with the people that he allocated or Post 5 Office allocated to work with us on testing. 6 Q. In your statement, you refer to the PinICL system, which 7 was used to log defects as they arose or as they were 8 found in testing. 9 A. Yes. 10 Q. In broad terms, is it fair to say that that was a sort 11 of central repository of bugs, errors and defects and 12 the work that was going on into investigating them and 13 resolving them? 14 A. Yes. They had a history of the defect and how it was 15 resolved. 16 Q. Who operated that system, the PinICL system? 17 A. It would be within ICL Pathway. I don't know which area 18 of ICL Pathway. 19 Q. Are you aware of anyone outside of ICL Pathway who had 20 either read or write access to the PinICL system? 21 A. No. 22 Q. Specifically, did anyone at Post Office have read or 23 write access to the PinICL system? 24 A. Not to my knowledge. 25 Q. So when you said you were discussing defects with them 47 1 and seeking their views on business priority, et cetera, 2 those were PinICLs that you put -- or information that 3 you put forward to him -- 4 A. Yes, we would often do a review of an Excel -- we would 5 dump to Excel or print to Excel outstanding or open 6 defects, which would have high level descriptions. It 7 wouldn't have the detail of the analysis, and that, in 8 that, but it would have sufficient for us to, you know, 9 have a discussion around, if this defect or this fault 10 still existed in the system, would that prevent us going 11 live? 12 Q. I would like to bring up your statement now and it is 13 paragraph 37(b) on page 14. So it is WITN04800100. 14 Do you have your witness statement in front of you? 15 A. Yes, I do. 16 Q. It appears we can't put on the screen but I will read 17 out the relevant parts. I would ask you to turn to 18 paragraph 37(b) on page 14. 19 A. 37(b)? 20 Q. 37(b), yes, please. It says: 21 "My team also needed to clear defects raised through 22 testing and resolve them prior to the go live of New 23 Release 2. Not all defects that we had agreed with the 24 Post Office should be fixed before going live had, in 25 fact, been fixed in the planned timescales." 48 1 Just pausing there, did you think, at this point, 2 that the Horizon IT system was ready to go live when it 3 did? 4 A. I -- my recollection is it was one of the contributing 5 factors to another delay. So it wasn't a case we went 6 live with those unfixed because it was not fixed, it was 7 another contributing factor. There was a series of 8 delays, it wasn't the only one, but I was fully aware 9 that the preparedness of the security and where we were 10 with regard to the defect position, we were not able to 11 go live or get acceptance -- become an Acceptance 12 Incident in that defect, and probably be -- from the 13 information that we received and discussed, it would 14 probably be deemed as a high Acceptance Incident, which 15 would prevent us going live anyway. 16 So it's a case of, from recollection, it's one of 17 the contributing factors to a number of the delays that 18 we had during release 2, New Release 2. 19 Q. So from a security perspective, when it was released, 20 did you think there were any material problems with the 21 system? 22 A. From a point of the security products, no. That 23 weren't -- and those outstanding defects were fully 24 visible to the authority. 25 Q. You go on to say -- you first refer -- 49 1 SIR WYN WILLIAMS: Sorry, Mr Stevens, can I just understand 2 that last answer in conjunction with the ones before. 3 The sentence that Mr Stevens read to you, is that 4 an acceptance that not all defects had been fixed by the 5 time the Go Live started, or were you saying that, 6 because not all the defects were fixed, there were 7 delays before the Go Live started? 8 A. It's the second. 9 SIR WYN WILLIAMS: Right. Okay, I understand, thank you. 10 MR STEVENS: In your statement, you refer to the people at 11 Post Office and you were speaking of earlier Cliff and 12 another, who you said were there for -- well, looking at 13 security testing, and one of the things you say, again, 14 in paragraph 37(b) is they also -- sorry -- yes, 37(b), 15 is: 16 "They also reviewed the position around unresolved 17 defects at the point of exiting the security test phase 18 and they audited test results and PinICL content for 19 accuracy." 20 Could you expand on that part, "they audited test 21 results and PinICL content for accuracy"? 22 A. So the test results would be for the test report, so the 23 test report would have a detail of all the tests run, 24 those that couldn't be run, for whatever reason, or were 25 not run, the failures and the outstanding -- outstanding 50 1 faults or PinICLs in the system. 2 The -- where I say "inspect the PinICL", we would 3 discuss the detail of each of the PinICLs, so they 4 understood from a business perspective whether or not -- 5 how to classify those and whether they would become 6 Acceptance Incidents or not. 7 Q. When you say audited the PinICL content, again that's 8 the -- is that PinICLs that you provided to them? 9 A. I think it's reviewed, as opposed to audited. 10 Q. Reviewed. 11 A. Reviewed. 12 Q. Could I please ask for FUJ00078278 to be brought up. 13 This is an "ICL Pathway Programme Office Monthly 14 Report", from May 1998. Can I turn to page 17, please. 15 Sorry, over the -- no, that's it, sorry, my apologies. 16 So "Security and Audit", this section. Would you 17 have contributed to this report? 18 A. Yes, I would have. 19 Q. It says: 20 "Progress for NR2 continues to be slow, which is 21 reflected in the secure test statistics. The 22 requirements for security has exposed the lack of 23 management and control over the platform structures. 24 This is causing difficulties in the application of 25 security." 51 1 Please could you expand on the "lack of management 2 and control over the platform structures"? 3 A. From memory, I would likely be referring, at that point 4 to there were a number of defects raised because the 5 required controls were not in place in the solution that 6 was delivered into our test environment. So, at the 7 point of testing, the controls that we should have 8 there, or the security products that enforce those 9 controls, were not either delivered or configured on our 10 test environments and, therefore, we had to raise 11 defects to get those into the baseline of the solution 12 that could then be redelivered into the test to check 13 that those now exist. So that's not through 14 100 per cent exactly why I wrote that, but that would be 15 my interpretation of that. 16 Q. What was done -- was anything done to change that? 17 A. Yes, we would have to get those fixes in because each 18 one of those would be highlighted by a defect that would 19 be raised as to why there was a missing control, there's 20 a missing element of security, and we would have 21 a failed test associated with it. 22 Q. In your witness statement, you refer to the -- as we 23 said earlier -- automated key management system, at some 24 length. Are you aware of the automated key management 25 system having any involvement with, or being a cause of, 52 1 subpostmasters seeing discrepancies in their branch 2 accounts? 3 A. It would not have, no. 4 Q. As I understand it, that's purely a matter of 5 encryption, is it? 6 A. It's the management of the encryption keys to be able to 7 do that across the distributor's estate, yes. 8 Q. Did you have any involvement in the acceptance process? 9 A. No, the -- sorry, not in the process itself. We were 10 a key feed into the process for our test reports and 11 analysis of the remaining defects within those test 12 reports, but I was not party to any of the acceptance 13 process discussion meetings or reports themselves. 14 MR STEVENS: Sir, that's all the questions I have. We do 15 have some questions from recognised legal 16 representatives. I think Mr Stein is first on the list, 17 I think. 18 SIR WYN WILLIAMS: All right. 19 Over to you, Mr Stein. 20 Questioned by MR STEIN 21 MR STEIN: I represent, Mr D'Alvarez, a large number of 22 subpostmasters, mistresses and managers. I'm instructed 23 by Howe & Co solicitors and I have a few questions for 24 you that deal with a document which will go on screen in 25 a moment, which is found at FUJ00000071. 53 1 Can we go to page 1 of 914, please. Now, this 2 document is, as you can see, the agreement between Post 3 Office Counters Limited and ICL Pathway Limited for the 4 "Information Technology Services Agreement for Bringing 5 Technology to Post Offices", So it's the baseline 6 agreement. 7 The codified agreement then sets out, at various 8 stages of the document, different parts of it refer to 9 different aspects of the implementation of Horizon. So 10 we're going to look, first of all, at page 91 of 914. 11 Now, this is a schedule, "Schedule A02 -- Policies and 12 Standards", and set out within this, therefore, are 13 policies and standards defined in the schedule to apply 14 to all relevant aspects of POCL services unless amended. 15 So all we have under this particular section of the 16 codified agreement are various policies and standards 17 that need to be applied and, in particular, I'm going to 18 ask you about prosecution support responsibilities under 19 the codified agreement. 20 Page 97 of 914, please. If we can centre on the 21 section which is at 4.1.8 and 4.1.9, "Prosecution 22 support". Thank you. 23 Now, I appreciate, Mr D'Alvarez, you may not have 24 been taken directly to this before within the bundle of 25 papers that you've got, so I'm just going to read it 54 1 through: 2 "Prosecution support 3 "The Contractor shall ensure that all relevant 4 information produced by the POCL Service Infrastructure 5 at the request of POCL shall be evidentially admissible 6 and capable of certification in accordance with Police 7 and Criminal Evidence Act (PACE) 1984 ..." 8 It then goes on to refer to two other parts of 9 legislation applicable in Northern Ireland and Scotland 10 that are similar. Then at 4.1.9: 11 "At the direction of POCL, audit trail and other 12 information necessary to support live investigations and 13 prosecutions shall be retained for the duration of the 14 investigation and prosecution irrespective of the normal 15 retention period of that information." 16 So, in short, what we have here is a need for the 17 system to be able to provide evidence which is 18 evidentially admissible and capable of certification in 19 accordance with Police and Criminal Evidence Act. The 20 second part then is about document retention for 21 investigations and prosecutions. So do you understand 22 what the purpose of this particular policy is? 23 A. I do understand the purpose of that policy, yes. 24 Q. During the time when you were working on Horizon, from 25 your perspective -- which we understand is security 55 1 access, infrastructure in relation to that, maintenance 2 of audit trails so that access can be considered and 3 looked back upon -- what was done to ensure that any 4 access required under these provisions was recorded? 5 A. So with regard to prosecutions and that, I was not party 6 to any -- I had no engagement with the area of Pathway 7 that supported prosecutions, so my focus was the 8 delivery of the security as per the standards, so 9 I think, if I remember rightly, preceding this section 10 there's a set of standards, like Post Office security 11 standards and things, we had to comply with. 12 With regard to my knowledge of Police and Criminal 13 Evidence Act, I'm not an expert, but I am sufficiently 14 knowledgeable in the areas that impact computing systems 15 because of my work with the Met Police. I'm trying to 16 think now, because it was so long ago, I think it is 17 section 69, which basically puts the umbrella of -- any 18 computer data or extract from computer systems comes 19 under I think the general -- if I remember rightly -- 20 the general view of documentation and therefore we 21 needed to -- 22 So my element would be the last element of what 23 Police and Criminal Evidence Act, or my understanding of 24 it back -- well, now remembering back -- would be that 25 can we provide a level of -- I'm trying not to use the 56 1 word "evidence", but assurance that the data that has 2 been produced to support any prosecution is complete and 3 if there's been any -- it's not been tampered with or 4 whether it's any changes, that the changes to that data 5 is readily auditable from a computing aspect. 6 But, from my understanding of the Act, it's more 7 about the caseworking and how you -- making sure that 8 the data that's been provided or the documentation being 9 provided is relevant to the case that's being formed, 10 then the completeness of that data for the purposes it's 11 going to be used for, obviously, would be through the 12 assurance that the data we captured on the Riposte 13 system was complete. And then my element would be the 14 third element, that, should there be any requirement to 15 change that data and that, that that data is auditable 16 and any changes able to be understood and the rationale 17 for those changes -- well, on the system, we can say 18 what was done. The rationale would be the wider 19 policies that was put forward by Barry Procter with 20 regard to those various processes that you could only do 21 certain things on the system under certain instructions 22 and certain authorities. 23 Q. You mentioned a number of times in your evidence just 24 a few moments ago "my element would be the last 25 element". Are you saying that you had direct 57 1 responsibility for one aspect of evidence that has been 2 produced for the purposes of investigations and 3 prosecutions? 4 A. No, I had direct responsibility for the system. 5 Q. Right, okay. Well, let's stay with that last element 6 that you're describing, which is the third element that 7 you mentioned now twice. That third element, who had 8 responsibility for ensuring the data integrity of the 9 information that's provided for the purposes of 10 investigations and prosecutions? 11 A. I'm not aware who had that responsibility. 12 Q. Are you assuming that there was somebody? 13 A. I would expect there to be, yes. 14 Q. Right, and with your knowledge and, indeed, the amount 15 of time that you spent working within this particular 16 company, can you not help us with who that's likely to 17 be? 18 A. Typically, it would be the chief information security 19 officer. 20 Q. Right, who was? 21 A. Barry Procter. 22 Q. So that's Mr Procter. Was he based at your office? 23 A. Sorry? 24 Q. Was he based in your office? 25 A. He was based in Feltham, I was based in Bracknell. 58 1 Q. Right, okay. So you think Mr Procter would have been 2 the person who likely to have had dealings with any 3 questions, requests for information that related to 4 prosecutions; is that correct? 5 A. It's an assumption I have, yes, but I don't have actual 6 knowledge of that. 7 Q. Now, you have been taken to a variety of different 8 policies by Mr Stevens who has been asking questions on 9 behalf of the Inquiry. Can you help with your 10 recollection of policies that related to the provision 11 of data and information for investigations and 12 prosecutions? 13 A. No. 14 Q. No, because you didn't have any dealings with it or no 15 because they didn't exist? 16 A. I was not aware of any and I ... 17 Q. Do you think there should have been some? 18 A. Yes. 19 Q. If such policies did not exist, who would you say would 20 have been responsible for that gap? 21 A. It would -- again, I would put it under the areas of 22 operational, so it would come under Martyn Bennett who 23 Barry Procter reported into. But my knowledge of -- 24 I was aware that people provided information for 25 evidence but that was done from a customer services side 59 1 and the operational side. 2 Q. Right. So customer services, do you mean the helpdesk 3 side would provide -- 4 A. Well, customer service -- not so much the helpdesk, but 5 customer services would be the service management. So 6 there's a management layer within our customer services 7 headed up by, at that time, Steve Muchow, from 8 recollection, and he would be there for all the 9 management of the services that we actually provide to 10 the -- operational services and that, that we provide to 11 the Post Office, once it has gone live. 12 Q. Now, your work concerned the security of Horizon and the 13 protection of the system from unauthorised access; do 14 you agree? 15 A. Yes. 16 Q. What arrangements were put in place to allow 17 investigators investigating possible criminal offences 18 or, indeed, investigating maybe matters that might go to 19 the civil courts -- what arrangements were put in place 20 to allow investigators, instructed by perhaps the 21 prosecution or the defence, to access the system? 22 A. I can't recall. 23 Q. With your background working within a Police Force, you 24 understand that sometimes investigators need to, in 25 fact, interrogate the system themselves, police 60 1 investigators, as an example, yes? 2 A. Yes. 3 Q. Sometimes they may need assistance in gaining access on 4 to a system so that they can ensure that the data within 5 it, or indeed the system itself, is working properly, 6 yes? 7 A. Yes. 8 Q. Does that not come within your department? 9 A. So we're in what we put -- I would need to refresh my 10 memory on the audit and the roles that we set up for the 11 audit policy, so we had an audit solution, which 12 retained the data required -- well, any changes that 13 were made. I cannot recall all the roles that were set 14 up for that -- this area, and I was not required to 15 review by the company what was put in place with regard 16 to the support roles. 17 Q. Were investigators from within the Horizon System -- you 18 have described the potential for people from the 19 helpdesk side of it, or the support system side of it 20 providing information to assist investigations or 21 prosecutions. Would those individuals have to leave 22 an audit trail specifically related to investigations 23 and prosecutions? 24 A. Not specific to any investigations and prosecutions to 25 my awareness, no. 61 1 Q. Was that something under your control, the question of 2 whether somebody is having more general access, 3 ie support desk access, or investigation and prosecution 4 access; was that something under your control? 5 A. Not under my control, no. 6 Q. Under whose control was that? 7 A. That would be under anyone who has access to the system 8 when it had gone operational, would be under the control 9 of either the security manager and/or the service 10 director. 11 Q. Back to Mr Procter 12 A. Barry Procter and/or Stephen Muchow. 13 MR STEIN: Thank you, sir. 14 SIR WYN WILLIAMS: Anyone else? 15 MR STEVENS: Yes, I believe Ms Page has some questions. 16 SIR WYN WILLIAMS: Fine. Over to you, Ms Page. 17 Questioned by MS PAGE 18 MS PAGE: I also appear for a number of the subpostmasters 19 in this Inquiry as Core Participants. My name is Flora 20 Page. 21 If I could, please, ask for document number 22 FUJ00077861 to be displayed. This appears to be a risk 23 register with your initials under the column C, which 24 you see has the word "Who" at the top. 25 A. Yes. 62 1 Q. So am I right in thinking that that means that those 2 risks which have your initials against, "ADA", that 3 means that you were the risk controller, if you like, or 4 the person in charge of that risk? 5 A. Yes. 6 Q. What we see on the first row is a risk which is 7 categorised as A, at row 7, and the description of the 8 risk is: 9 "Migration complexity, coupled with failure of other 10 delivery units to meet KMS and VPN dependencies to 11 required delivery dates and specification, impacts 12 delivery date and costs. The whole migration issue has 13 been loaded with added complexity and risk due to the 14 removal of the incremental migration strategy ..." 15 Can we just sort of decode that a little bit. From 16 the dates elsewhere on this schedule it looks as if this 17 is referring to the rollout itself, the full national 18 rollout, '99 through to 2000; is that right? 19 A. That would be -- if it's the key management system and 20 VPN that -- we would have to deliver that in New 21 Release 2 to be able to rollout, yes. 22 Q. What it seems to be suggesting is that there was 23 a removal of an incremental migration strategy, does 24 that suggest that everything was then going to be rolled 25 out in a sort of big bang? 63 1 A. In a fast pace. Again, this is -- I saw this just 2 before I come in here and trying to rack my memories, 3 there was a number of migration processes put forward, 4 some which was looking at kind of incremental product 5 migration and things that we were looking at doing, but 6 this was very much, from just trying to go back in my 7 mind, there was a change in the migration strategy, 8 which did -- whether it's totally big bang, but it 9 effectively said that we would rollout with the 10 predominance of all the functions as required, which 11 added complexity because the KMS -- and specifically the 12 VPN element of the KMS was a high -- high risk, it 13 was -- 14 It was high risk that we had to carefully manage and 15 put mitigations in place to make sure, when we enabled 16 the VPN, what we did not do was lose connectivity that 17 we couldn't recover to all the post offices. So when 18 there were changes to migration strategy -- so what we 19 would do we would have a migration design, we would make 20 sure that -- how we implement that element of that 21 migration is fully tested, we have -- what is our 22 recovery position on testing that, and the change of 23 strategy increased that risk that we had to go back 24 around our migration design to assure ourselves that the 25 risk was manageable. 64 1 Q. Was the driver for changing that strategy to rollout 2 faster? 3 A. I was not privy to those discussions, so -- but it did 4 accelerate the deployment. 5 Q. Yes. If we scroll down a little there's also a risk -- 6 the last one, which is risk 4, again with your initials. 7 A. Yes. 8 Q. It says here that -- I won't necessarily read it all, 9 but it says, from about halfway down: 10 "The level of change planned for the [C14] migration 11 will make this much more difficult to achieve due to 12 space/management/communications/logistics." 13 Then it talks about the risk of there being: 14 "... no clear management plan for this coordination 15 and there is likely to have a ..." 16 I'm not quite sure what it leads on to, but am 17 I right in thinking that this is suggesting that there's 18 quite a lot that needs to be -- with this sort of much 19 more holistic, if I can put it that way, migration, 20 there's a lot to manage with space, with resources, with 21 physical structure; is that what we're getting at here? 22 A. Yes, it needs to be a coordinated management plan to 23 bring it all together. 24 Q. So, again, it's the fact that everything is being done 25 at once, is it, that makes this more of a risky 65 1 endeavour? 2 A. It made it more complex, yes, and, therefore, increased 3 the risk, and this was specific to the data centre 4 migration, I believe, this aspect. The CI3, CI4 -- 5 because when you said "deploy in the counters", and 6 I said yes to that, I suddenly -- now, looking at this 7 one, this looks very geared to the data centre migration 8 element. So the data centre migration was not only were 9 we -- no, sorry, I'm going to retract that. Sorry, this 10 is the deployment. 11 Q. Yes, all right. Well, can I just turn to one other 12 document and just see if this has anything to do with it 13 or if it's part of the same issues to do with trying to 14 roll things out in one go. This document is 15 FUJ00078691. This refers to the introduction, I think, 16 of an element of the KMS system; is that right? 17 A. Yes. 18 Q. This dates from -- we can see at the bottom there -- 19 31 March 1999. So, again, this is preparing for the 20 main rollout, isn't it, later that year and into 2000; 21 is that right? 22 A. Correct. 23 Q. If we scroll down and if we look at -- in fact, if we go 24 to page 3, and we scroll down, the "Scope" and the 25 "Background" tells us a little about, I think it's right 66 1 to say, this particular element of the KMS. But what we 2 also see further down, when we get to "TWC Release 3 Approach", is that the first paragraph finishes with the 4 sentence: 5 "If the release is not available in time then we 6 have to decide to move to the latest TWC or possibly 7 stay at the version used at NR2." 8 It goes on to explain why, it says that there is 9 a known bug in one of the versions of what was to be 10 rolled out. Is that fair, is that a decent summary? 11 A. Yes, that's how I read that, yes. 12 Q. Because of that known bug, if we turn to the next page 13 and we sort of just look at the end of what's been 14 agreed, it seems it has been agreed with you that they 15 will go ahead on the assumption that the enhancement 16 version will not be available in the KMS timescales: 17 "The testing described in this specification will 18 make use of TWC version 4.0." 19 Again, is this an example of things having to be 20 rolled out on a quick and altogether basis and, 21 therefore, perhaps some enhancements not catching up in 22 time, not being ready in time? Is that what we're 23 looking at here? 24 A. This particular one would not be specific to the 25 deployment to Post Office. This specific one would be 67 1 an issue within one of the versions that we were using 2 in KMS. I would need to know -- I would need to look at 3 the faults to understand what that is, but if there's 4 a known issue with a version that we have, we very often 5 are able to put workarounds in to enable us -- 6 workarounds into the system so that that doesn't become 7 an issue in operating the KMS. 8 Q. What I suppose I'm getting at here is: do you think, 9 looking back, things were being rolled out too quickly? 10 A. Do I think -- so I'm very conscious that a number of 11 times we had to delay the rollout because we 12 collectively -- certainly from my area -- said that we 13 were not ready to and, from my perspective, there's 14 always pressure. There's pressure -- you put pressure 15 on yourself to meet the timescales that you set. 16 There was pressure from the customer to deploy, 17 there was pressure from our own organisation, but 18 I never felt that if, after assessing and when this 19 agreed (unclear), that would have been assessed with my 20 architects and that to understand what is the 21 implications of that, can it be worked around. 22 So I need to know the fault and how that was 23 developed and how we actually put -- I would assume 24 there's a workaround -- that we would have to -- 25 you know, it's a -- it becomes a judgement where, in 68 1 this particular instance, it was assessed that this 2 would not have any detrimental impact in our ability to 3 manage the cryptographic keys, it would just mean that 4 there would be something that we would know about, that 5 we would have to work around, and until that's fixed, 6 that workaround would be in place, typically requiring 7 additional manual processes. Typically, but, again, 8 I need to understand what this bug was. 9 So, from my perspective, if I or my team said we 10 were not ready to go with our products, I would be 11 supported by my management. They wouldn't like it, they 12 would put a lot of pressure on, and one of the things 13 that we had -- so there's two elements to this. 14 On the KMS, we -- it was clear that the amount of 15 work to put an automated key management system was far 16 greater than we originally estimated, and we had to 17 deliver it in two elements, to be able to maintain the 18 timescales, and we had to put a proposal forward how we 19 can do that safely. And so it's part of managing 20 a large complex programme. You know, is there a way 21 forward where everyone understands the risk, they 22 understand -- or they understand the issue and they have 23 the right way to -- they have the right processes or 24 workarounds in place that that issue doesn't become a -- 25 or that risk doesn't become an issue in production. 69 1 Invariably, it adds cost to the run costs and, 2 therefore, you don't want to go live. So that would 3 have been part of a number of elements where is there 4 a suitable workaround to go forward with? If so, is 5 that affordable, is that the right way to do it? And 6 that would have been the decision-maker, and I can't 7 remember the specific one here. 8 Q. When you say that your management won't have liked it 9 but they would have supported it, who were you referring 10 to? 11 A. So, at that time, it would be -- Mike Coombs was the 12 main person, who was the -- the programme authority 13 director there, but I actually reported into the 14 structure of Terry Austin. 15 MS PAGE: Right, thank you. Those are my questions. 16 SIR WYN WILLIAMS: Is there anyone else who wishes to ask 17 any questions? 18 MR STEVENS: No, sir, not that I'm ... 19 SIR WYN WILLIAMS: Well, thank you very much then, 20 Mr D'Alvarez, for, firstly, providing your written 21 evidence and, secondly, answering all the questions you 22 have today, which, as will be obvious to you, have gone 23 wider than your written evidence. So thank you for 24 assisting. 25 MR STEVENS: Thank you, sir. The Inquiry team -- we have 70 1 another witness to come but could we ask for an early 2 lunch and then start the witness once we have had that 3 lunch? 4 SIR WYN WILLIAMS: Yes, by all means. What time do you 5 suggest, Mr Stevens? 6 MR STEVENS: Would 1.30 be okay? 7 SIR WYN WILLIAMS: Yes, that's fine. 8 MR STEVENS: Thank you, sir. 9 (12.15 pm) 10 (The luncheon adjournment) 11 (1.28 pm) 12 MR BEER: Good afternoon, sir, can you see and hear me? 13 SIR WYN WILLIAMS: Yes, I can, thank you -- 14 MR BEER: Likewise. May the witness be sworn. It is 15 Graham Allen, please. 16 GRAHAM ALLEN (sworn) 17 Questioned by MR BEER 18 MR BEER: Good afternoon, Mr Allen. My name is Jason Beer, 19 as you know, and I ask questions on behalf of the 20 Inquiry. Can you give us your full name, please? 21 A. Graham Allen. 22 Q. Thank you very much for coming to give evidence today 23 and thank you very much for the assistance you have 24 already provided the Inquiry in the provision of your 25 witness statement. I wonder whether you could take out 71 1 the witness statement, please. It should be in a binder 2 next to you. 3 A. I can't see it. 4 Q. Have a look behind you on the shelf. 5 A. No. 6 Q. Okay, if you just wait there. 7 Apologies for this, sir. 8 A. That's okay. 9 (Pause) 10 Q. Thank you very much. Now, where were we? If you take 11 out that binder, there should be a witness statement in 12 your name and dated 4 August. Tab A1, 19 pages in 13 length, with your signature at the end of it; is that 14 your signature? 15 A. Yes. 16 Q. Are the contents of that witness statement true to the 17 best of your knowledge and belief? 18 A. They are. 19 Q. A copy of that witness statement is going to be uploaded 20 to the Inquiry's website and I'm, therefore, not going 21 to ask you about every aspect of it, you understand? 22 A. Okay. 23 Q. Your evidence, Mr Allen, relates primarily to the 24 development and then the operation of Horizon Online, 25 topics that the Inquiry intends to address in later 72 1 phases of the Inquiry, and so the questions I'm going to 2 ask you about today are primarily for the purpose of 3 seeking to assist the Inquiry in understanding the roles 4 that those involved in that process had in relation to 5 Horizon Online, but also any crossover between it and 6 Legacy Horizon, as it became known, and to assist us in 7 directing our investigations into some people who were 8 in post in relation to both Legacy Horizon and Horizon 9 Online. Do you understand? 10 A. Yes. 11 Q. So the fact that I'm ignoring, in my questions, 12 90 per cent of your witness statement, doesn't mean 13 we're not interested in it, we've got your evidence on 14 it and we may come back to you later. Do you 15 understand? 16 A. Yes. 17 Q. Can we start, please, with your qualifications and 18 experience, please. What are your qualifications? 19 A. I did a computer science degree at Portsmouth when it 20 was a polytechnic, I think it switched to a university 21 just after that, and then I took a graduate developer 22 role at what was then ICL and I have remained at ICL and 23 then Fujitsu throughout my career, taking a variety of 24 roles through application development. 25 Q. So I think you joined ICL, as it was then known, in 73 1 1991 -- is that right -- 2 A. That's correct. 3 Q. -- as a graduate developer. What did a graduate 4 developer do? 5 A. At that time, I worked in ICL retail, so I took the 6 skills that I had learned at university and just worked 7 developing retail applications. 8 Q. Is a developer the same as a programmer? 9 A. Yes, as a programmer, yes. 10 Q. Thank you. So you worked for the company and its 11 predecessor incarnation for the entirety of your working 12 life, some 31 years now? 13 A. That is correct. 14 Q. I think, since January 2022, you have been the 15 operations manager for the Post Office account at 16 Fujitsu; is that right? 17 A. That's correct, yes. 18 Q. What does the operations manager do? 19 A. So, to all intents and purposes, I run the applications 20 teams which was the role I had before January '22 -- 21 January 2022 -- and my role just expanded into looking 22 wider across the services that we deliver, since 23 January 2022, to assist my manager in terms of running 24 the account and helping with those things. 25 Q. So far as concerns this Inquiry, I think you first 74 1 worked on the Post Office account in 2007, worked on it 2 for five years until 2012; is that right? 3 A. That's correct. 4 Q. That's the period that I'm going to ask you mainly 5 questions about. 6 You then didn't work on the Post Office account from 7 2012 until 2017, went back to the account in 2017 and 8 have stayed there since? 9 A. Yes, that's correct. 10 Q. As I say, we're interested in your role between 2007 and 11 2012. In which division within Fujitsu, as it had then 12 become, did you work? 13 A. I worked in the applications services division. 14 Q. Can you describe what "application services division" 15 means? 16 A. So, basically, the area of the company that focused on 17 developing or supporting applications for various 18 customers, so the collection of people whose skill sets 19 were primarily around developing applications. 20 Q. What was your job title in that period? 21 A. Applications development manager. 22 Q. What did that involve, being an applications development 23 manager? 24 A. In building and running the team to deliver applications 25 to our customers. So in varying roles, managing 75 1 developers, or primarily managing developers, or maybe 2 sometimes test people or various parts of the life 3 cycle, depending on what the role required. 4 Q. You mentioned in that answer working with people -- 5 A. Yes. 6 Q. -- and in your statement you describe a management role 7 with people. 8 A. Yes. 9 Q. Was it mainly a human resources function or did you 10 become involved in the information technology itself? 11 A. So in the role for the Post Office account, it was 12 primarily a human resources role, but with 13 an application -- with the experience of knowing how to 14 recruit application people or knowing how to assist 15 people in solving technical problems, but not being the 16 primary -- my experience was not on how these particular 17 applications were developed or the technology that was 18 used to do them. It was around making sure that the 19 people that I had in the teams had the skills to deliver 20 the applications that we needed to do. 21 Q. How many people in the teams worked to you? 22 A. Approximately 100/150 when I first started on the Post 23 Office. 24 Q. You give that figure in your witness statement and you 25 call them "my development teams". 76 1 A. Yes. 2 Q. How were they split? 3 A. So they were split into various teams supporting various 4 parts of the applications. As I say in my witness 5 statement, the project involved two major components, as 6 we were moving to Horizon Online, redeveloping a new 7 counter application for the branches and the -- and the 8 separate part of the project, which was migrating the 9 data centre applications from Horizon to Horizon Online. 10 Q. How were the numbers split as between those two 11 purposes? 12 A. From recollection, it was probably about half and half. 13 I'm not 100 per cent sure. 14 Q. And to whom did you report? 15 A. So I reported to -- I'm not clear on -- I can't remember 16 the role, but I reported to a lady called -- to 17 an application -- an application -- do you know what, 18 can I refer to the statement? 19 Q. Yes, I think she is called "head of applications"? 20 A. Head of applications, yes. So head of applications for 21 the Post Office account, so she would have also had test 22 leads and other parts of the life cycle working for her 23 at that time. 24 Q. That was Barbara Perek, P-E-R-E-K; is that right? 25 A. That's correct. 77 1 Q. To whom did she report? 2 A. She reported, I believe, to the head of the application 3 services division, whose name I do not recall. 4 Q. In your statement you say at paragraph 9 you reported to 5 Barbara Perek -- 6 A. Sorry. 7 Q. -- who reported into the programme director, who, at the 8 time you joined, was Martyn Hughes. 9 A. Yes, so Barbara would have reported in to both the 10 application services division at Fujitsu and also for 11 the Post Office account she would have reported to the 12 programme director, Martyn Hughes. Sorry, yes. 13 Q. What responsibility, if any, did you have for Legacy 14 Horizon, as it became known? 15 A. I had no responsibility for Legacy Horizon. 16 Q. What knowledge, if any, did you have as to the operation 17 of Legacy Horizon? 18 A. So none, other than I sat in the same office as people 19 working on Legacy Horizon, so I may have heard -- I may 20 have heard information on Legacy Horizon but it would 21 have been on a -- what's the word -- just in terms of 22 hearing it in the office. But I was not responsible for 23 it or -- 24 Q. Office chat? 25 A. Office chat but no direct information or knowledge. 78 1 Q. When you arrived in 2007, did anyone tell you when you 2 joined the team or began to manage the team about 3 a problematic live trial and rollout for Legacy Horizon? 4 A. No. 5 Q. When you joined the team in 2007 and managed the team in 6 2007, did anyone tell you about a series of serious 7 errors, bugs and defects that had afflicted Legacy 8 Horizon throughout its life? 9 A. No. 10 Q. In order to develop Horizon Online and then migrate it, 11 migrate branches onto it, did you not have to have 12 an understanding of the issues and difficulties that had 13 beset Legacy Horizon? 14 A. No. The teams -- Legacy -- sorry, the main parts of 15 Horizon that we were developing was a brand new 16 application and, as I say in my statement, actually the 17 teams that were developing it were completely separate, 18 due to the contractual position between the parties, 19 which I don't understand. Prior to that we were -- 20 Q. Sorry, just stopping there, could you just expand on 21 what you meant there by "the teams were entirely 22 separate due to the contractual position", as you 23 understood it. 24 A. So, Horizon was built on a system provided by Riposte, 25 or was called Riposte -- actually I'm not actually 79 1 completely clear on the terminology there -- and we were 2 writing a brand new system to replace that counter 3 application from scratch and, I believe, to ensure that 4 we did not have any copyright infringement the 5 instruction was to produce it with a new -- with 6 a completely -- set of people that couldn't possibly 7 copy the previous solution. So it was going back to 8 business requirements from the Post Office to write the 9 solution from -- new, so it was a completely replacement 10 system, in terms of the branch system. 11 Q. That meant that you didn't have access to their code? 12 A. That's correct, yes. 13 Q. Could you, nonetheless, not have been told about -- 14 I will put it neutrally -- some issues that had arisen 15 in the operation of that code over the, by then, seven 16 or eight-year lifespan of Horizon? 17 A. Yes, I guess so. Whether the developers were aware of 18 that or not, I don't know. Would it have helped? I'm 19 not sure it would have done. All IT systems have 20 problems and part of the point of rewriting them is that 21 you avoid writing those problems again. 22 Q. If you know about the problems, it's sometimes easier 23 not to replicate them? 24 A. Potentially, potentially. 25 Q. You say in paragraph 15(c) of your statement, please, 80 1 which is WITN04780100, at page 8 -- this is -- I should 2 just look at the passage that this comes under. If we 3 just go back a little bit, please. Thank you. You say: 4 "I can also recall the following issues ..." 5 Then, if we go forward to (c), you say: 6 "There were challenges around explaining the 7 requirements to the development teams in a way that 8 allowed them to understand what they needed to do. For 9 example, the Horizon Online counter application needed 10 to be functionally equivalent to the Legacy Horizon 11 application but to ensure no infringement of 12 intellectual property rights, developers were not 13 allowed access to the Legacy Horizon application." 14 How do you know about that, that Fujitsu developers 15 were not allowed access to the programming code for 16 Legacy Horizon? 17 A. Because they often raised it as a challenge to 18 understanding the requirements that they had, in that 19 the level of detail may not have been sufficient and, 20 without being able to refer back to how the system 21 worked previously, they sometimes found it harder to 22 interpret those requirements and write the new system. 23 So it was one of those problems that made it take longer 24 to write Horizon Online than anticipated. 25 Q. I think you may have answered this already, but whose 81 1 intellectual property rights were being guarded or 2 asserted here? 3 A. I believe Riposte, or the company that owned Riposte. 4 I'm not sure which is which. 5 Q. Were you told that at the time? 6 A. Yes. 7 Q. Can you explain why you would have wanted access to the 8 programming code for Legacy Horizon in order to carry 9 out your work? 10 A. It's one of the ways of a developer being able to 11 identify how the system previously worked. Ultimately, 12 it's the final way, if they can't work it out any other 13 way. 14 Q. Was the Post Office aware that Fujitsu developers were 15 not able to access the programming code for Legacy 16 Horizon? 17 A. I think I'm probably speculating but I believe they 18 would have known, yes. 19 Q. What's the basis for your suggestion that they probably 20 would have known? 21 A. Only that they were close enough to us at that point 22 that I can't imagine that that would not have been part 23 of the conversation. I don't believe these 24 conversations were ever sort of secret or within 25 Fujitsu, so -- but as I say, I can't -- I couldn't say 82 1 100 per cent. 2 Q. Do you know Mr Jenkins, Gareth Jenkins? 3 A. I do. 4 Q. For how long have you known him? 5 A. From the time -- well, from -- I can't recall the first 6 time I met him, but he would have been working there at 7 the point I started in 2007, until the point he retired, 8 which I don't recall. It may have been while I wasn't 9 on the account. I'm not sure what date he left but 10 personally known him only, probably, really around -- 11 the first time I can recall being aware of him was 12 around when we were piloting and we were, you know, 13 dealing with the technical issues which, as my statement 14 says, I was more involved in. 15 Q. So, certainly for the period 2007-2012, you would have 16 worked with him? 17 A. Yes, and certainly around the six months of the rollout. 18 Q. What was his role when you worked with him? 19 A. He was a technical architect who -- probably one of the 20 people that understood how Horizon and Horizon Online 21 was built. 22 Q. In the period 2007 to 2012, how frequent was your 23 contact with him, allowing for the fact that it may have 24 waxed and waned depending on what was being done? 25 A. As I was going to say, I think probably during the 83 1 six months of the pilot and rollout, it was probably at 2 least a few times a week. Before that and after that, 3 probably rarely. 4 Q. He is described in some of the material as 5 "distinguished engineer"? 6 A. Yes. 7 Q. What does that mean? 8 A. It's a title that Fujitsu gives to a certain set of our 9 technical specialists, so there is a process that each 10 year nominations are taken and they are judged against 11 their technical expertise, their knowledge of the 12 marketplace, et cetera, things like that. 13 Q. So it's a sort of honour conferred on them within the 14 company -- 15 A. Yes. 16 Q. -- bestowed within the company? 17 A. Yes. 18 Q. Okay. He is also described as an applications 19 architect -- or the applications architect or 20 an applications architect, depending on which document 21 you look at. What is an "applications architect", 22 please? 23 A. So an applications architect is sort of a role or 24 a grading that the system -- that the company uses. It 25 is somebody who designs applications, so doesn't 84 1 necessarily write the applications, or probably doesn't 2 write the applications, so very much like an architect 3 would design a building, it's the person that designs 4 the applications, so not -- and it's focused on the 5 application not the hardware or the infrastructure, 6 hence the term "application". 7 Q. Thank you. I think we can see from the documents that 8 you would attend meetings with him. 9 A. Mm-hm. 10 Q. We've got some examples of that. Can we look, please, 11 at FUJ00092922, please. 12 A. Is that B -- 13 Q. It will come up on the screen. 14 A. Oh, will it? Okay. 15 Q. Yes. Thank you very much. We can see notes of 16 a meeting called "Next Generation Implementation 17 Issues", of 8 February 2010, at Coton, Warwick and 18 Derby. 19 A. Yes. 20 Q. We can see that your name is listed about ten in -- 21 A. Yes. 22 Q. -- and you are described as "Customer Services 23 (Fujitsu)"; is that accurate? 24 A. So I think I'm described as "Development Manager" on the 25 right -- 85 1 Q. I'm so sorry, I misread the lines. 2 A. That's okay. 3 Q. Mr Jenkins is described as "Solution Architect", is that 4 the same as applications architect? 5 A. Yes. 6 Q. Thank you very much. At this time, February 2010, how 7 frequent was your contact with him? 8 A. Because of these issues, it was probably daily. 9 Q. I think you would exchange emails with him with some 10 regularity; would that be right? 11 A. Yes. 12 Q. I think we've got some examples in the disclosed 13 material. I'm not going to go to them to show you where 14 you exchanged an email with him, but you would receive 15 documents from him as well. 16 A. Yes. 17 Q. Can we look at some of those, please. FUJ00117478, 18 please. This is one of two documents I'm going to look 19 at. You exhibit this to your statement. 20 A. Mm-hm. 21 Q. I think you will remember. The author, Gareth Jenkins; 22 the date, 29 January 2010. If you just read through it 23 and the question I'm going to ask is: is this about 24 Horizon Online or Legacy Horizon? 25 A. This is about Horizon Online. 86 1 Q. You will see that the problem is identified, the basket 2 being recorded twice in the accounts, the PEAK numbers 3 given, the cause of the problem is a bug at the counter. 4 A. Correct. 5 Q. Then can we look, please, at Fujitsu00117489, please. 6 That's the wrong tab, sorry, my mistake. FUJ00117480. 7 Look at the top again. Authorship the same, 8 Mr Jenkins, the date is, in fact, the same. 9 A. Yes. 10 Q. Again, just look through it, please. If you look at the 11 problem, for example: 12 "The problem was that when balancing the last Stock 13 Unit, the User was not prompted to clear their Local 14 Suspense. This ... meant that attempting to roll over 15 the Branch failed due to Local Suspense not being 16 clear." 17 Again, is this to do with Horizon Online or Legacy 18 Horizon? 19 A. Horizon Online. 20 Q. At what stage in the process are you here, namely end 21 January 2010? 22 A. So I think we are in the initial pilots of the Horizon 23 Online system. 24 Q. To your knowledge, to your understanding, what was 25 Mr Jenkins' level of knowledge in relation to Legacy 87 1 Horizon? 2 A. I don't actually know the answer to that, I'm afraid. 3 I believe he was -- I believe he was involved in Legacy 4 Horizon, but I am not -- I don't recall what he was 5 involved in, probably because my focus was on this. 6 Q. Would he have been allowed to speak about it in the same 7 room as you, given that, if he did have knowledge, it 8 might infringe somebody's intellectual property rights? 9 A. He would have been. I don't recall any instances where 10 I was, so it was only the counter application that 11 the -- I have forgotten the word already -- that the 12 infringement would have been part of and, as I said, 13 there are two major parts of this inter system: the main 14 data centre part was still the same -- inherently the 15 same system, carried forward -- updated and carried 16 forward. 17 Q. Did Mr Jenkins ever explain to you that he was providing 18 witness statements in connection with criminal 19 proceedings against subpostmasters? 20 A. So I am aware of that now and I would have been aware of 21 it at some point but I don't know -- I can't recall 22 exactly what point I was aware of -- I was aware of 23 that. 24 Q. Would it have been whilst you were working on the 25 account between 2007 -- 88 1 A. Yes. 2 Q. -- and 2012 -- 3 A. Yes. 4 Q. -- rather than when you came back to it in 2017? 5 A. Yes, it would have been during that time I became aware 6 that Fujitsu was involved in that process and that 7 Gareth was part of that. 8 Q. Can you help us as to how you became aware of that? 9 A. Probably the best description is to use the one you used 10 before, office chit-chat. Only that, that I became 11 aware that there was a -- maybe there was an occurrence 12 of when he had to go to court, I don't recall exactly. 13 Q. Did Mr Jenkins ever come and speak to you about any 14 technical aspects of Horizon online for the purpose of 15 informing evidence that he was to give in a witness 16 statement or in oral evidence in court? 17 A. No. 18 Q. Were you present at any meetings at which either of 19 those things were done? 20 A. No. 21 Q. Are you aware of any process by which Mr Jenkins was 22 selected as a witness to give evidence in written and 23 then oral form? 24 A. No. 25 Q. Can we look, please, at FUJ00080534. You will see the 89 1 document title "Horizon Online Data Integrity". Then if 2 we just skip down to the foot of the page, please. 3 A little bit more, please -- thank you. 4 You will see the date of this version of the 5 document as 25 November 2011. 6 A. Mm-hm. 7 Q. Then if we go to the top, please, you will see that it 8 is authored by Mr Jenkins. 9 A. Yes. 10 Q. Now, I think this is a document that you saw and 11 contributed to at the time? 12 A. Yes. I don't recall it but, having read the document 13 provided to me, yes, I can see that I'm recorded as 14 commenting on it. 15 Q. We can see that, I think, if we skip to page 3, please. 16 Under "Document history", we can see that the first 17 draft was ten months or so beforehand, version 0.1, and 18 in the second line, it says: 19 "Minor changes in response to feedback from Torstein 20 Godeseth and Graham Allen." 21 So I think that's what you were just referring to; 22 is that right? 23 A. Yes. 24 Q. Torstein Godeseth, can you help us as to who he was? 25 A. So Torstein Godeseth was a Post Office architect at some 90 1 point. He now works for Fujitsu, so he changed roles at 2 some point during Horizon Online. I can't recall the 3 exact time -- 4 Q. Can you remember the year? 5 A. Not accurately, no. I was on the account, so it must 6 have been 2010/2012-ish but I'm not 100 per cent sure. 7 Q. So Post Office Counters Limited employee, who moved over 8 to Fujitsu? 9 A. Yes, yes. 10 Q. Going back to the front page of the document, please. 11 Having re-read the document more recently can you help 12 us overall as to the purpose of this review or this 13 report? 14 A. Only from what I have read in the document and that it 15 was -- it appears from memory, from reading it over the 16 weekend, it appears to be a description of the 17 measures -- as it says in the abstract: 18 "[Description of] the measures ... built into 19 Horizon Online to ensure data integrity." 20 It appears to be to brief KPMG, I think it said, on 21 conducting an audit of that. 22 Q. So the abstract is accurate, it's a backward look at 23 measures that are built into Horizon Online to ensure 24 data integrity? 25 A. Yes. 91 1 Q. If we go forwards, please, to page 7, I think if we read 2 the terms of reference together: 3 "Fujitsu would like to instigate an independent 4 audit of the [Horizon Online] environment currently 5 delivered to Post Office Limited to provide confidence 6 that the solution has intrinsic security controls 7 commensurate with the requirement for legal 8 admissibility. This will enable a legal review of 9 contract compliance." 10 Then "Objective": 11 "Now that Horizon Online has been operational for 12 12 months, Fujitsu is undertaking a legal review of its 13 compliance with its contract obligations and in order to 14 enable that, would like to undertake an independent 15 assessment to demonstrate the adequacy of the security 16 controls that have been designed into the system to 17 provide assurance in the robustness of the audit of the 18 transactional data that may be used as evidence in 19 court." 20 Can you recall what prompted this? 21 A. I can't. I say, until I was provided with the document 22 I didn't even recall the document or being involved in 23 commenting on it. I can see that I was but -- so no, 24 I can't recall. 25 Q. Can you recall what your feedback was on the document? 92 1 A. I can't recall it but I did have a look back through the 2 previous versions of the document and my comments were, 3 I believe, a couple of typos or of that order of 4 magnitude. 5 Q. Was that with the assistance of Fujitsu that you went 6 back and looked -- 7 A. I have access to the document management system so, yes, 8 in that respect, with the assistance of Fujitsu, yes. 9 Q. So you did that at work, did you? 10 A. Yes. 11 Q. At this time, what was your relationship at work with 12 Gareth Jenkins? Why was he the author of the document, 13 to your knowledge? 14 A. Again, I would have to speculate because I can't recall 15 exactly: in his role as an application architect. 16 Q. Torstein Godeseth, what was his role at the time? 17 A. I couldn't be 100 per cent sure. Again, likely to be 18 an application architect. Purely based on the fact that 19 Torstein commented on an early draft, I suspect he was 20 part of Fujitsu at that time, but I'm speculating again. 21 It would need to be checked. 22 Q. Why were you asked to give feedback? 23 A. That, I don't know. I would have been application 24 delivery manager at that time and I guess it was 25 considered to be part of my role to do that. Yes, 93 1 I can't give you any better answer that that, I'm 2 afraid. 3 Q. Can you try and help us -- 4 A. Yes, definitely. 5 Q. -- and tell us what about your job would have made it 6 appropriate for you to have been asked to give feedback 7 on a document concerning the integrity of Horizon Online 8 that will ensure the requirements for legal 9 admissibility in court proceedings were met? 10 A. Okay. I don't think it would have been in relation to 11 that, but clearly if there had been or were any changes 12 required out of any audit, then it would have been my 13 teams that would have had to have made those changes 14 and, hence, there's some governance responsibility on me 15 to check that the documentation is correct. 16 The other likely thing, as I have said in my 17 statement, is my role as mainly a -- we called it 18 a human resources type thing. It's clear that I have 19 years of experience of application development and I can 20 interpret or bridge the gap between descriptions and 21 technical people to cross check that information is 22 correct. So it would have been on some sort of 23 consulting or responsibility for application delivery 24 role. 25 Q. If we just look at the top of the page there, underneath 94 1 the heading, it is said that it is prepared -- and this 2 appears on every page -- "Commercial in Confidence" and 3 then "Legally Privileged". 4 Do you know why that was? 5 A. I don't, no. 6 Q. Were you aware of any litigation being taken against 7 either the Post Office or Fujitsu, at this time? 8 A. No. 9 Q. Can we go over to page 8, please. You will see there's 10 a list of stakeholders and their roles and 11 responsibilities. Can I have your help, please, on 12 a little more than the two or three word descriptions 13 that are given for each of the people there: Stephen 14 Long, Fujitsu or Post Office employee? 15 A. So Stephen Long was a Fujitsu employee. He would have 16 been the head of account at that point, hence the 17 project sponsor I'm assuming. 18 Q. Yes. James Davidson? 19 A. So James Davidson, as it says there, service operations 20 director. So James was responsible for all of our 21 service delivery aspects, if that makes sense, sorry. 22 Q. There's a tendency in IT to have five or six words, one 23 of which is always "service", some of which are 24 "applications", and then are switched around in 25 different orders. So could you explain maybe what the 95 1 person actually does? 2 A. Yes. So James would have been ultimately responsible 3 for our support teams, our service teams, in maintaining 4 the day-to-day service and that the system was up and 5 running, and that type of service delivery. I would 6 have had a line or a dotted line into him as part of my 7 team's -- ultimately delivering applications would have 8 had some responsibility to the support of the service. 9 Q. Thank you, that's helpful. "Torstein Godeseth -- 10 Architecture". Can you help a little more on what his 11 role was at this time? 12 A. I can't from that description, no, and I don't recall 13 what Torstein did there. 14 Q. Gareth Jenkins you have already explained. Mike Deaton, 15 again Fujitsu employee? 16 A. Yes. 17 Q. "Project leader", was that for Horizon Online? 18 A. I don't know exactly what it would have meant in the 19 context of this document was -- he was responsible for 20 making the project -- delivering the project that this 21 document was part of. So like a project manager 22 project, leader, I believe. 23 Q. Edward Phillips? 24 A. I don't recall that name or -- yes, I don't recall that 25 name at all. 96 1 Q. And Ian Howard of security? 2 A. I don't recall that name either, so I don't actually 3 know whether he was Fujitsu or Post Office. I'm 4 assuming from the -- as you pointed out -- the legally 5 privileged title bit that they are all Post Office 6 employees, but other than the ones I have mentioned, 7 I can't confirm. 8 Q. Do you remember a position within Fujitsu of chief 9 information security officer? 10 A. Yes. 11 Q. Can you recall whether Mr Howard, Ian Howard, occupied 12 that position? 13 A. I can't. I'm only assuming from what I read there that 14 that is the role, but I don't know. 15 Q. Then under paragraph 1.5 "Constraints, assumptions and 16 risks", it says: 17 "All work will be undertaken under an agreed and 18 signed Non-Disclosure Agreement." 19 Can you help us, can you recall who was that 20 required by, the Post Office, Fujitsu or somebody else? 21 A. I can't recall. I can only assume that, as this 22 mentions another third party, KPMG, that it is with them 23 but that is an assumption. 24 Q. Sorry, because the report we're going to see in a moment 25 mentions KPMG -- 97 1 A. Yes. 2 Q. -- that they required it? 3 A. Yes. Well, that Fujitsu required it with KPMG but 4 that's -- as I say, I am speculating there; I don't 5 actually know. 6 Q. Was it normal when a group of seven or eight Fujitsu 7 employees got together on a project that they had to 8 sign a non-disclosure agreement? 9 A. No, no. My experience of non-disclosure agreements 10 within Fujitsu are always around third parties. 11 Q. Ie the third party has to sign it? 12 A. Both -- so either the -- yes, the examples I have seen 13 in other places are the customer and all of the parties 14 involved sign them, or Fujitsu and a third party they 15 are involving in some work signs them, depending on 16 who -- the discussions are, so I can't tell you what 17 that means, in the context, I'm afraid, of this 18 document. 19 Q. Did you sign a non-disclosure agreement? 20 A. Not that I recall, no. 21 Q. Do you know what you would have been forbidden from 22 disclosing in discussing the issue that this paper 23 relates to? 24 A. No. 25 Q. Do you know from whom you would have been forbidden to 98 1 disclose such information -- 2 A. No. 3 Q. -- for example the client, Post Office? 4 A. Other than all parties that weren't part of the 5 disclosure agreement, just as per my standard training, 6 if you like. But I don't know what the non-disclosure 7 agreement was signed -- who that was signed between as 8 part of this document. 9 Q. Okay. If we go on to the next page, please, page 9: 10 "This document has been prepared for KPMG to enable 11 scoping for an independent assessment of data integrity 12 controls around Horizon Online in order that legal 13 advice can be obtained from in-house counsel about 14 Fujitsu's contractual liability." 15 Just trying to flesh that context out a bit, 16 contractual liability to who? 17 A. It can only be Post Office, as far as I can see from 18 that document. 19 Q. Do you remember the context in which this exercise, this 20 project, was undertaken, that there was an issue of 21 Fujitsu's contractual liability to Post Office? 22 A. Over and above our contractual liability to support 23 prosecutions, or support the evidence to prosecutions, 24 no, I can't think of any. 25 Q. What do you recall about the contractual liability to 99 1 support prosecutions? 2 A. An awareness of it. Other than that, nothing. 3 Q. Where did you gain that awareness from? 4 A. Conversation. 5 Q. With who? 6 A. I don't know. Whoever I was working for at the time, 7 I assume, as part of this document but I don't know. 8 Q. What was your understanding of Fujitsu's contractual 9 liability to support prosecutions? 10 A. My only understanding was that we did send witnesses to 11 support Post Office in some cases, but that's -- that is 12 all I knew of at the time. 13 Q. Was there ever, to your knowledge, in the development of 14 Horizon Online, any look back to the stage before then, 15 ie before the witness gets dispatched to court, to see 16 how you designed the system in order to make the data 17 have integrity, in order that the witness can go to 18 court and speak to the integrity of the data that the 19 system produces? 20 A. I don't really understand the question. 21 Q. Okay. You said that your understanding of the 22 contractual obligation was to provide support -- 23 A. Yes. 24 Q. -- to prosecutions. 25 A. Mm-hm. 100 1 Q. I asked you more about that and you said you knew that 2 "we sometimes sent witnesses to court". 3 A. Yes. 4 Q. I was asking was there any discussion in which you were 5 involved, at a stage prior to the dispatch of a witness 6 to court, about the design of the system, with a focus 7 on this data might be used for prosecutions? 8 A. Not that I recall specifically, no, other than 9 an awareness that the system was designed to be integral 10 and that was what the evidence was provided on. 11 Q. When you say the system was designed to be integral, do 12 you mean the system was designed to have integrity? 13 A. Yes, sorry. 14 Q. Two paragraphs on, it says: 15 "Note that this document only covers Horizon 16 Online ... It does not cover the original Horizon 17 System, which is specifically excluded from this 18 exercise." 19 Then last paragraph: 20 "The scope of this paper is restricted to showing 21 the Integrity of the Audit trail and that it accurately 22 reflects the transactions entered at the counter." 23 Were you aware of whether a similar document or 24 process or project existed in relation to Legacy 25 Horizon -- 101 1 A. No. 2 Q. -- ie writing down, capturing in one place what elements 3 the system has to ensure the integrity of the audit 4 trail and to ensure that the system accurately reflects 5 transactions entered at the counter? 6 A. I can't say that I wasn't. I'm answering that on the 7 basis that it could have been discussed at the point 8 that this came out that this was a continuation of that 9 service, but I don't recall one way or the other whether 10 it was specifically discussed. 11 Q. Okay. I just want to show you very quickly a document, 12 please, at FUJ00080526. 13 A. Yes, I was provided this document just before the 14 hearing and it -- that's the first time I have seen it 15 and it does appear to be, as you say, the predecessor, 16 or the same document for the Horizon System, as the -- 17 and the other one was for Horizon Online. 18 Q. If we just check the date first. If you look at the 19 foot of the page, 2 October 2009. Then if we go up to 20 the top of the page, the document title is "Horizon Data 21 Integrity". This one is prepared "Commercial in 22 Confidence" but "Without Prejudice". 23 The abstract describes the document as describing: 24 "... the measures that are built into Horizon to 25 ensure data integrity. 102 1 "Note that it only covers Horizon and not [Horizon 2 Online]." 3 The author is once again Mr Jenkins. So would you 4 agree that this appears to be an equivalent document in 5 terms of its scope, not necessarily its purpose, for 6 Legacy Horizon rather than Horizon Online? 7 A. It does appear to be, yes. 8 Q. Thank you. Then if we just look over two pages to 9 page 3., you will see the "Document History" there. You 10 are not mentioned in this or, as far as I can see, any 11 other part of the document. Would that reflect the fact 12 of your lack of involvement in Legacy Horizon? 13 A. It would, yes. I wouldn't be expected to be part of 14 this document, given its scope was Horizon. 15 Q. There appears -- next to version 1 -- to be a record 16 that this document, version 1, is available for release 17 to the Post Office. 18 Just if I can have your help, please, under "Review 19 Details", can you help us as to who Suzie Kirkham was? 20 A. So Suzie Kirkham was -- I want to say account manager. 21 So she would have worked for the head of the account, 22 whatever it was called in those days. Her role, as 23 I recall it, was primarily sales, although clearly, as 24 per that, I wouldn't expect that to be the role she was 25 performing here. So she had an overall view of aspects 103 1 of the account. 2 Q. Jeremy Worrell? 3 A. So the terminology there, "CTO", means chief technology 4 officer. I don't recall Jeremy in that role. However, 5 he was one of the senior architects -- I wouldn't put 6 the word "application" in front of him. I believe he 7 was wider than that. 8 Q. So, so far, ICL employees or -- 9 A. Yes, definitely. 10 Q. -- Fujitsu. Guy Wilkerson? 11 A. So commercial director, as it says there, so responsible 12 for contracts, commercial relationships. 13 Q. Did you know LaToya Smith? 14 A. I didn't -- well, if I did, I don't recall her name. 15 So, from that, it looks like she worked for Guy. 16 Q. Amanda Craib? 17 A. I recognise the name. The role there looks like a wider 18 role within Fujitsu, as it was then, I think, but 19 I don't recall. 20 Q. And David Smith, do you recognise that name? 21 A. I do, so David was, I think, ultimately responsible for 22 the delivery of Horizon Online within Post Office. 23 That's the role I remember him in. 24 Q. Given what you told the Chair about your position in 25 relation to Legacy Horizon, I'm not going to ask you 104 1 questions about the detail of that document. 2 Were you aware of articles in the media in May 2009 3 about the integrity or lack of it of both Legacy Horizon 4 and Horizon Online? 5 A. I don't recall being aware at that time of those, no. 6 Q. Can you now recall whether you had knowledge of the 7 Computer Weekly article of May 2009 -- 8 A. No. 9 Q. -- in the month of May 2009, written by Rebecca Thomson? 10 A. No, I do not recall being aware of that at the time. 11 Q. Can you remember any discussion within your team or 12 managers and directors above you over any need to 13 commission any work as a result of the article which was 14 exceedingly critical of Horizon after May 2009, at the 15 same time that you were developing a new Horizon System? 16 A. I don't recall that, no, although the timing of the 17 documents, you know, makes me speculate that that may 18 have been a result, but I do not recall that being 19 discussed at the time, no. 20 Q. So it wasn't the talk of the town in the office that 21 "The system that we're developing has been very severely 22 criticised in a trade journal"? 23 A. Not that I recall. 24 Q. What was your main source of communication -- 25 Sorry, that can come down from the screen. Thank 105 1 you. 2 What was your main method of communication, source 3 of communication and interrelationship with Post Office 4 Limited, when you were developing Horizon Online? 5 A. So from what I recall, it was a very joint relationship. 6 Clearly, Fujitsu were doing the majority of the 7 delivery, but their programme staff were very often in 8 the same building as us visiting. The test team was 9 a joint test team at the time, so there were always Post 10 Office staff within Fujitsu, as part of the testing of 11 Horizon Online. 12 Q. You worked, I think, in Bracknell? 13 A. Yes. 14 Q. Was there anyone from Post Office embedded there? 15 A. Yes, the test team particularly were -- it was the 16 same -- yes, it was a joint team and they were -- 17 I think -- I believe they had a separate office in -- 18 they had an office in our building. 19 Q. Over the period, the five-year period, what was -- was 20 there a key meeting or focal point for development, as 21 far as you were concerned? 22 A. Sorry? 23 Q. You refer in your statement to weekly programme boards. 24 A. Yes. 25 Q. Was that the main vehicle by which the project from your 106 1 perspective was progressed? 2 A. Internal -- so the boards that I refer to in my 3 statement at that time were internal to Fujitsu and 4 I'm -- I'm speculating that there were equivalent boards 5 with the customer, I just wasn't involved in them at 6 that time. 7 Q. That was my next question. What, if any, boards or 8 equivalent meetings did you have with your customer? 9 A. So I -- my -- I was fairly separate from the customer at 10 that point. There was a lot of people working on the 11 account. My focus was internal, on running the 12 development teams. My -- the head of applications and 13 the programme director, or Programme Manager at the time 14 would have been more -- would have been running the 15 customer meetings, or would have been involved in the 16 customer meetings. I -- 17 Q. In your five-year period, do you think you ever went to 18 any customer meeting? 19 A. Certainly, as the evidence here shows, customer meetings 20 and customer phone calls very regularly during the end 21 of -- the start of the pilot and rollout. My 22 recollection is that's when I was mostly involved with 23 the customer. It's conceivable or more likely that 24 I was involved in more ad hoc meetings up to that point, 25 but I don't recall what they were. 107 1 Q. You say in your statement that there was generally good 2 interaction between all the teams involved, including 3 the teams from Fujitsu and the Post Office and that you 4 were not aware of any technical or operational issues 5 that couldn't be resolved due to poor interactions or 6 relationships amongst individuals or teams working on 7 the project. 8 A. Mm-hm. 9 Q. How do you know that if you had relatively little 10 contact with the customer? 11 A. So my statement there was referring in the majority to 12 the internal Fujitsu teams, which I think is how the 13 question was asked. So, yes, I don't recall within 14 Fujitsu any challenges between teams that -- other than 15 the normal human interaction that you get. And equally, 16 as I say, as Post Office were there, my awareness was 17 that we were communicating regularly with them. 18 Q. So, as far as you are concerned, in the development of 19 Horizon Online, no difficulties in relationships, either 20 within the Fujitsu team or between the Fujitsu team and 21 Post Office Limited? 22 A. As I say in the statement, over and above, it was 23 a difficult programme that was taking longer to deliver 24 than expected and, therefore, the customer were clearly 25 very interested in what we were doing to recover time, 108 1 or to -- what the plan was to deliver Horizon Online. 2 Q. So the three-year delay can't have helped relations, no? 3 A. Yes, of course not -- or no, of course not. 4 Q. You tell us in your statement -- it is paragraph 33, 5 which is WITN04780100, at page 15. You say: 6 "Whilst I was involved in resolving certain 7 technical issues during the initial pilot ... I cannot 8 recall if any of these technical issues remained 9 unresolved through the rollout of Horizon Online. It is 10 common practice in any IT project for technical issues 11 that are typically experienced to remain unresolved 12 during rollout, as long as each technical issue is 13 assessed as not causing unexpected business impact. 14 These issues would be resolved in further releases at 15 a later date. In my experience, it is common for 16 parties involved in large IT projects to agree to such 17 arrangements." 18 So there your recollection doesn't assist you to say 19 whether any issues remained unresolved at the end of 20 rollout? 21 A. So, no, my recollection -- so my recollection doesn't 22 resolve what issues were unresolved at the end of 23 rollout but, again, my experience says that there will 24 have been some issues that remained unresolved, but 25 those issues -- well, I wouldn't have expected -- well, 109 1 we didn't, as far as I'm aware, roll it out with issues 2 that were going to cause either our support teams or the 3 customer or, specifically, the branches issues that were 4 not manageable because there's no -- there is no -- it's 5 not in anybody's benefit to do that. 6 Q. Then, just going back to paragraph 30 of your witness 7 statement, please, you tell us in paragraph 30, in 8 summary, that any PEAK relating to a discrepancy in 9 branch accounts would have caused you concern at the 10 time? 11 A. Yes. 12 Q. Can you recall whether any connection was drawn between 13 incidents which affected Legacy Horizon being 14 discrepancy in branch accounts and Post Office backend 15 systems, and the issues that were arising in the new 16 product, Horizon Online, to the same effect, ie "We've 17 got a balancing problem in Horizon Online", and somebody 18 said "There is a history of balancing problems with 19 Horizon"? 20 A. I don't recall exactly. However, as well as -- any 21 system that can cause a financial discrepancy is 22 always -- that's always a top priority issue, regardless 23 of what has happened here, so -- 24 Q. I suppose I'm asking a bigger question: was there any 25 effort to look back at the last decade and see what had 110 1 happened with Legacy Horizon, to see whether it provided 2 any help in the design of the new system? 3 A. So I think that would have been well before this point 4 when the system was designed, so here we're talking very 5 much about the implementation of it and I'm not -- 6 I have not -- I'm not a technical application architect, 7 so I can only assume that, as we have already 8 established, some of the people were the same, that 9 those lessons would have been learned at least 10 individually, if not collectively, but I don't know. 11 Q. One would hope so, wouldn't one? 12 A. One would hope so. 13 MR BEER: Thank you very much, Mr Allen. They are the only 14 questions I ask at the moment. 15 I think Mr Stein has some questions to ask. 16 SIR WYN WILLIAMS: All right. Fine. 17 Questioned by MR STEIN 18 MR STEIN: Sir, good afternoon. I, in fact, have very few 19 questions. 20 Mr Allen, I have just -- as I said to the Chair of 21 the Inquiry -- very few questions for you and they in 22 fact concern the document you have been shown earlier, 23 which is FUJ00080534, at internal pagination page 7. 24 I should have said that I represent subpostmasters, 25 mistresses and managers, a large number of those that 111 1 have been affected by the problems with the 2 Horizon System, and so you will understand that I'm 3 asking questions on their behalf. 4 Now, we should have on the screen, at 1.1, under 5 "Objective" the words that say this: 6 "Now that Horizon Online has been operational for 7 12 months, Fujitsu is undertaking a legal review of its 8 compliance with its contract obligations ..." 9 Now, let's just pause there. You mentioned that you 10 knew that there was a contractual obligation to provide 11 material for prosecutions. 12 A. So I would probably qualify that I don't believe I knew 13 at the time there was a contractual obligation. I did 14 know that we did it. 15 Q. Right. So you knew that you were about the business, or 16 your company was about the business of providing 17 information to support prosecutions? 18 A. Yes. 19 Q. All right. Now, having had that in mind, we can see 20 here that the reference is to Horizon Online being 21 operational for 12 months. Do we take it, and do we 22 understand from that, that prior to this document that 23 there had not been a document that was analysing the 24 quality of the data that's being used for compliance 25 with the prosecution duty that is performed by Fujitsu? 112 1 A. I think the wording of this document, and I have to say 2 implies to me, that this was an audit to ensure that, 3 not that it wasn't in place. 4 Q. Right. Insofar as you remember the preparation of this 5 document, Mr Beer already referred to the fact that 6 there's a Computer Weekly article that is in 2009 and 7 referred to the fact that, within this document, that 8 the proposal is that this is going to be supplied to 9 KPMG, yes? 10 A. Yes. 11 Q. You have already accepted that there seems to be 12 a logical connection between -- 13 A. Yes. 14 Q. -- these events. 15 A. Yes, seems to be, but I can't recall it. 16 Q. Now, the prosecution of any individual is a weighty 17 responsibility, you agree? 18 A. Indeed. 19 Q. And I very much doubt, Mr Allen, that you would like 20 people to go to prison for things they didn't do. 21 A. Absolutely not. 22 Q. Right, so you must have understood that this is an 23 important obligation being carried out by Fujitsu, 24 correct? 25 A. Mm-hm. 113 1 Q. You must have understood that this particular document, 2 the preparation of it is to go to KPMG auditors to 3 ensure, from their perspective, that this is being taken 4 on board properly, yes? 5 A. Indeed, yes. 6 Q. So these are all fairly important factors being 7 considered at that time? 8 A. Yes. 9 Q. Are you saying that at the time when these matters are 10 being considered by you and your colleagues, that there 11 was absolutely no reference to what was going on in the 12 real world, in other words the potential set out in the 13 Computer Weekly article that people were being 14 improperly prosecuted? 15 A. No, I'm saying I can't recall what led to this document. 16 Q. Well, are you saying that this was done, this document 17 preparation, these considerations within this document, 18 completely in ignorance of what was being said in the 19 Computer Weekly article? Is that what you're saying? 20 A. No, I'm saying I simply cannot recall that that was the 21 reason. I agree with you from the information I'm 22 looking at that the timing does seem -- that that is 23 a possibility, but I honestly cannot recall. 24 Q. Let's nail this down, Mr Allen. Let's nail this down. 25 At the time when this document was under preparation, 114 1 was there any discussion about the fact that in the 2 press there had been concerns expressed regarding the 3 reliability of the Horizon System? 4 A. As I have said, I can't recall that. 5 Q. Mr Allen, it does seem to be an unlikely position to 6 have reached that here we have discussions -- internal 7 discussions within Fujitsu regarding the question of 8 satisfying KPMG, a very well-known firm, that there is 9 data integrity and audit systems in place to ensure that 10 the reliability of data provided for the support of 11 prosecutions is true and good, it does seem a little 12 unlikely, Mr Allen, that there weren't such discussions. 13 You are saying you've got no memory whatsoever. 14 A. I agree with you from what I'm looking at here, but 15 I honestly do not recall the reason for this. It is -- 16 you know, clearly as Fujitsu were involved in that, 17 you know, in having an independent review, that that is 18 what the -- that the system was integral -- sorry, had 19 integrity, is clearly important regardless of what else 20 was going on, but I agree with you and I apologise that 21 I can't recall that, but ... 22 Q. Just finally, we can see that in the middle of page 7, 23 under 1.1: 24 "The purpose of this document is to define the terms 25 of reference for the project and to provide a technical 115 1 description of measures that are built into Horizon 2 Online to ensure data integrity." 3 Then in the slightly greyer type under that we see 4 the quote: 5 "The focus of the assessment will reflect how, from 6 the initial design of Horizon Online, Fujitsu have built 7 in integrity of transactions as a requirement." 8 Now, that seems to be a quote from another document 9 built into this one. 10 A. It does, yes. 11 Q. So: 12 "The focus of the assessment will reflect how, from 13 the initial design of Horizon Online, Fujitsu have built 14 in integrity of transactions as a requirement." 15 Now, when Horizon Online was being constructed was 16 this built in as that says? 17 A. I believe so, yes, and I -- yes. 18 Q. And your instructions in relation to such? 19 A. Sorry? 20 Q. Your knowledge of that? 21 A. I -- yes -- 22 Q. I thought you said you didn't know about contractual 23 liability? 24 A. So it's a financial system. I know all the financial -- 25 all the systems I have worked on have -- in fact all 116 1 of -- I think everything I have worked on has financial 2 integrity. I worked on retail systems at the beginning, 3 so ensuring financial integrity is what any system has 4 to do, or have controls in place to do that. 5 Sorry, I don't think I have answered your question 6 very well. 7 MR STEIN: Excuse me one moment. 8 (Pause) 9 Sir, thank you. No further questions. 10 A. Thank you. 11 SIR WYN WILLIAMS: Are there any other questions for 12 Mr Allen? 13 MR BEER: I don't think so, sir. Thank you. 14 SIR WYN WILLIAMS: All right. Well, thank you, Mr Allen, 15 for providing your written evidence and for coming to 16 the Inquiry to answer questions from Mr Beer and 17 Mr Stein. I'm very grateful. 18 A. Thank you. 19 MR BEER: Sir, that concludes the business today. Can we 20 say 10.00 am tomorrow, please. 21 SIR WYN WILLIAMS: Yes, certainly. 22 MR BEER: Thank you very much. 23 (2.36 pm) 24 (The Inquiry adjourned until 10.00 am on Wednesday, 25 9 November 2022) 117 1 2 INDEX 3 4 ALAN D'ALVAREZ (sworn) ...............................1 5 Questioned by MR STEVENS .........................1 6 Questioned by MR STEIN ..........................53 7 Questioned by MS PAGE ...........................62 8 GRAHAM ALLEN (sworn) ................................71 9 Questioned by MR BEER ...........................71 10 Questioned by MR STEIN .........................111 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 118