Summary
- Fujitsu's Horizon role should be understood as a cost-transfer prevention case: software outputs were treated as evidence of branch shortfalls, and those outputs helped move financial, legal, and reputational burden onto individual sub-postmasters.
- The public record includes the Bates v Post Office Horizon Issues judgment, the Post Office Horizon IT Inquiry final report volume 1, Fujitsu's 2024 statement, GOV.UK redress data, parliamentary scrutiny, NAO compensation lessons, and current reporting on compensation and replacement.
- The control question is not simply whether software had bugs. It is whether Post Office, Fujitsu, government, lawyers, auditors, and prosecutors had enough reliable evidence before treating system outputs as proof against people.
- Responsibility is distributed. Fujitsu supplied and supported Horizon. Post Office operated, relied on, and litigated around it. Government owned and supervised the public-policy setting. Prosecutorial and legal actors had disclosure duties. Claimants bore devastating transferred cost.
- The durable lesson is that digital systems should not be allowed to turn operational uncertainty into personal debt, criminal suspicion, or delayed compensation unless the evidence standard is explicit and independently challengeable.
The question is cost transfer, not only software failure
The Horizon scandal is often described through the phrase "software bugs." That phrase is accurate but too small. Bugs, errors, and defects mattered because Horizon outputs were used to identify alleged branch shortfalls and to support demands, disciplinary action, civil proceedings, and prosecutions. The accountability question is therefore not only whether the software was flawed. It is whether flawed or insufficiently explained software outputs were allowed to transfer cost onto people who could not see or challenge the underlying system.
The 2019 Bates v Post Office Horizon Issues judgment is the central legal source for this article because it examined Horizon reliability, bugs, errors, defects, remote access, and evidential claims in detail. The Post Office Horizon IT Inquiry's Final Report Volume 1 then placed the scandal's human impact and compensation context into a broader public record. These documents show why a narrow engineering explanation is inadequate.
Cost transfer can happen quietly. A branch account shows a shortfall. The operator is told to make good. The institution treats the system output as authoritative. The individual faces pressure, debt, suspension, prosecution, bankruptcy, stigma, or imprisonment. If the system is wrong, uncertain, remotely alterable, poorly disclosed, or misunderstood, the institutional error becomes a personal burden. That is the failure class.
Fujitsu's role belongs in that class because it supplied and supported the system whose outputs carried evidential weight. Post Office's role belongs there because it operated the relationship with sub-postmasters and relied on the outputs. Government's role belongs there because public ownership and oversight shaped the accountability environment. Legal actors belong there because disclosure and evidential duties decide whether defendants can challenge technical claims. No single actor fully explains the scandal, but each actor had a control surface.
The prevention question is simple: before a digital system moves a loss onto a person, what evidence is required? Who verifies the system? Who documents defects? Who discloses uncertainty? Who can challenge the output? Who pays when the output is wrong? Horizon matters because those questions were answered too late.
Fujitsu's supplier role included evidence obligations
Fujitsu's 2024 official statement apologized to sub-postmasters and their families and acknowledged the seriousness of the matter. That statement is important, but supplier accountability cannot rest only on apology. A supplier whose system is used as evidence in disputes and prosecutions has obligations around reliability records, defect disclosure, support communications, expert evidence, remote-access transparency, and audit trails.
The supplier may not decide to prosecute. It may not own the customer relationship. It may not set every legal strategy. But it can know things about the system that others do not know. It can know defect histories, support patterns, remote-access capabilities, known error modes, and diagnostic limits. When system outputs are treated as evidence, that knowledge becomes public-interest evidence, not merely internal product knowledge.
NIST's systems security engineering guidance, SP 800-160 volume 1 revision 1, is not Horizon-specific, but it helps name a general principle: trustworthy systems require engineering, assurance, and lifecycle evidence. In Horizon's context, trustworthy evidence was not only about cyberattack resistance. It was about whether accounting outputs could be relied on to accuse a human being of owing money or committing wrongdoing.
The supplier evidence package should have included plain answers. What defects were known? Which releases were affected? Which defects could create or alter shortfalls? Which branches were affected? What remote access was possible? Could transactions be inserted, altered, or corrected without the operator seeing? What audit trails existed? What were their limits? Which expert statements were safe to make? Which were not?
Those questions matter because sub-postmasters did not have equal access to Horizon internals. A person accused on the basis of system data cannot independently verify a proprietary system without disclosure. Supplier opacity therefore creates evidential asymmetry. The more severe the consequence for the individual, the higher the supplier's duty to make uncertainty visible.
Supplier accountability also extends to replacement and transition. Computer Weekly's 2026 reporting on Fujitsu being removed from major Horizon replacement deals shows that the procurement consequences continued into the present public record. Replacement, however, is not the same as redress. A new supplier path does not by itself answer what happened to people harmed by the old evidential system.
Software evidence needs adversarial visibility
The Horizon record exposes a general rule for software evidence: if a system output is used against a person, the person must be able to challenge the system's reliability, data path, and alternative explanations. That challenge cannot be meaningful if the institution controls all technical knowledge and treats the output as presumptively true.
The Crown Prosecution Service's public page on disclosure is a general source, not a Horizon-specific finding. It is relevant because criminal proceedings depend on disclosure of material that may undermine the prosecution case or assist the defence. In a software-evidence case, defect logs, support tickets, known bugs, remote-access records, audit limitations, and expert uncertainty can be disclosure material. If those records are not identified and shared, the accused cannot test the evidence.
The Law Society's commentary on Bates v Post Office helps frame why the litigation became a landmark. But the deeper point reaches beyond one case. Digital systems now generate evidence in benefits, banking, employment, tax, healthcare, retail, policing, and platform governance. The Horizon lesson is that system evidence should not be treated as neutral simply because it is digital.
Adversarial visibility requires several controls. First, a defect register that is complete enough to show known error modes. Second, audit trails that identify human, automated, and remote actions. Third, expert evidence that states limits, not only confidence. Fourth, preservation of system logs before litigation. Fifth, independent review when the same institution that benefits from the output controls the evidence. Sixth, a burden-of-proof rule that does not quietly shift to the individual.
The cost-transfer frame helps clarify the stakes. If a branch shortfall is real and attributable to an operator, the institution may have a claim. If the shortfall is caused by a system defect, remote correction, synchronization error, or unexplained accounting process, the institution should not transfer the cost. The evidence standard decides which path is taken.
Horizon shows what happens when institutional confidence outpaces evidential humility. A system can be broadly operational and still produce disputed outputs in particular cases. A supplier can fix defects and still leave past outputs in question. A court can receive expert evidence and still find that prior assumptions were unsafe. Software evidence needs a channel for those uncertainties before lives are damaged.
Compensation is evidence of delayed accountability
Compensation schemes are sometimes treated as a separate administrative phase after the scandal. In the Horizon case, compensation is part of the accountability evidence. The scale, complexity, delay, legal cost, and claimant burden of redress reveal how hard it is to repair a cost transfer once institutions have treated system outputs as authoritative for years.
GOV.UK's current Post Office Horizon financial redress and legal costs data for 2026 makes compensation a live public record. The House of Lords Library briefing on progress of compensation summarizes the schemes and continuing policy context. The National Audit Office's briefing on lessons learned from government compensation schemes is relevant because compensation administration itself can reproduce harm if it is slow, complex, or mistrusted.
Delayed redress is another form of cost transfer. People who were wrongly accused or pressured may wait years for financial repair while carrying bankruptcy consequences, legal costs, health damage, family loss, reputational stigma, and lost business opportunity. Compensation cannot fully restore those losses, but delay makes the gap worse. The longer institutions take to repair, the more the individual continues financing the institution's failure.
The Guardian's 2026 reporting on compensation-scheme deadlines shows that redress pressure remained a current issue. That currentness matters. Horizon is not only a historic technology failure. As of 2026, compensation, accountability, replacement, and institutional learning remain part of the public record.
Compensation systems should therefore be judged by claimant usability. Are eligibility rules clear? Is evidence burden fair? Are interim payments available? Are legal costs covered? Are traumatised claimants supported? Are deceased claimants' families served? Are decisions timely? Are appeals accessible? Are statistics published? Are scheme designers learning from claimants? These questions are not administrative niceties. They decide whether the state and institutions stop transferring cost to victims.
The prevention lesson is even stronger. If redress is this hard, the evidential threshold before the original cost transfer should have been higher. It is far cheaper and more just to prevent unsafe accusations than to compensate after wrongful harm.
Public scrutiny had to stay current
The Horizon public record continues to evolve. The UK Parliament's Business and Trade Committee listed a 2026 oral evidence session connected to Horizon justice and accountability. Parliament's 2024 explainer on justice for sub-postmasters shows how the scandal became a national institutional concern. Public scrutiny matters because complex accountability systems can drift after attention fades.
Current scrutiny should focus on prevention, not only blame. What will stop another system from producing personal debt or criminal suspicion without adequate challenge? How will suppliers disclose defects? How will public bodies maintain independent technical expertise? How will prosecutors handle proprietary software evidence? How will compensation schemes avoid retraumatizing claimants? How will replacement systems avoid inheriting the same evidential assumptions?
Computer Weekly's 2025 reporting on Fujitsu leadership reaction to the inquiry report and links to the human impact of Horizon captures the continuing accountability tension around institutional response. Secondary reporting should not replace inquiry findings, but it helps show that accountability depends not only on formal documents; it also depends on how organizations internalize those documents.
Public scrutiny must also cover government ownership. Post Office's position and public-policy role mean this was not just a private supplier/customer dispute. Government had oversight duties, funding duties, compensation duties, and institutional credibility at stake. If a public-service network relies on proprietary evidence systems, government must ensure it can understand and challenge them. Outsourcing technical operation cannot mean outsourcing public accountability.
The same rule applies beyond Horizon. Welfare systems, tax systems, immigration systems, health systems, court systems, and regulated markets increasingly depend on software outputs. If those outputs move money, status, liberty, or reputation, public institutions need technical literacy and disclosure rules before harm occurs.
Remote access should have been a first-order evidence issue
Remote access is one of the most important technical concepts in the Horizon record because it affects who could alter, correct, or influence branch data and what the branch operator could reasonably know. If a central actor can access or change records, the evidential story is not simply "the branch system recorded a shortfall." The story must include who else could touch the data, when, under what controls, and with what audit trail.
The official Post Office Horizon IT Inquiry website is valuable because it gives the public a route into a long evidential record. The Bates judgment is still the most direct source for remote-access and bugs/errors/defects analysis used here, but the inquiry record demonstrates why technical capabilities had to be considered alongside governance, culture, legal process, and compensation.
Remote access does not automatically mean wrongdoing. Many systems need support access to fix faults, maintain service, and assist users. The accountability problem appears when remote access exists but is denied, misunderstood, poorly disclosed, weakly logged, or treated as irrelevant to allegations against users. In an accounting dispute, the possibility of remote alteration is not a side issue. It is an alternative explanation that may change burden, evidence, and fairness.
The prevention rule should be explicit. If an institution relies on a system output to accuse a user, it must disclose whether remote access could affect the relevant data. It must preserve logs showing remote actions. It must explain who had access, which controls governed it, and whether any remote action occurred in the relevant period. If logs are incomplete, the uncertainty should count against institutional confidence, not against the accused individual.
This rule is especially important in distributed public-service systems. Branch operators, local agents, franchisees, contractors, and small businesses often operate at the edge of a central platform. The central institution has technical power. The local operator has public-facing responsibility. When records disagree, the central institution should not be allowed to assume that the edge operator caused the discrepancy without opening the central system to challenge.
Remote-access transparency should therefore be built into system design. The user should receive notices or logs of support actions where appropriate. Audit trails should be tamper-resistant. Expert witnesses should understand and disclose remote capabilities. Contracts should state how support access affects evidence. Courts and regulators should ask about it before accepting system output as decisive.
Expert evidence must include limits, not only conclusions
Horizon also shows why expert evidence about software systems must include limits. An expert can say a system generally worked. That statement may be true and still not prove that a particular shortfall was caused by a particular person. Software systems can be generally reliable while failing in particular conditions. They can process millions of transactions while still producing bugs that matter profoundly to one defendant.
Expert evidence should therefore be specific to the allegation. Which branch? Which dates? Which software version? Which defect history? Which support tickets? Which remote actions? Which reconciliation process? Which data migrations? Which known bugs? Which audit trails? Which alternative explanations? A broad assertion of reliability cannot substitute for case-specific analysis.
The UK Supreme Court's 2024 judgment in a related Post Office compensation/legal context is not a Horizon technical judgment and should not be stretched into one. It belongs here only as a reminder that the legal aftermath continued across multiple procedural routes. The more important principle is general: legal systems need technical evidence that is precise enough to test.
Experts should also disclose uncertainty in ordinary language. If a defect could create a discrepancy, say so. If the expert cannot rule out a remote action because logs are missing, say so. If the system's architecture creates limits on what can be inferred, say so. Courts and accused people can handle uncertainty better than overconfidence that later collapses.
Supplier employees who give evidence face a particular risk. They may know the system deeply, but their employer may have commercial, reputational, or contractual stakes. That does not make their evidence false. It means courts and institutions should require independence, disclosure of conflicts, access to complete defect records, and clear separation between technical analysis and institutional advocacy.
The prevention control is an expert-evidence checklist for software-generated accusations. General reliability, relevant defect history, remote-access capability, data-lineage proof, audit-log completeness, version-specific behavior, support-ticket context, and residual uncertainty. If the checklist cannot be completed, the institution should not treat the software output as decisive evidence against the individual.
Replacement does not erase evidential debt
Replacing Horizon or removing Fujitsu from future procurement may be necessary, but replacement does not erase evidential debt. People were harmed under the old system. Convictions, repayments, bankruptcies, lost businesses, family trauma, and reputational injury cannot be repaired by saying a new system will be better. The old evidential record must still be audited, explained, and compensated.
Replacement can even create a risk of premature closure. Organizations may prefer to talk about transformation, modernization, new suppliers, and future resilience because those topics feel constructive. Victims and claimants may still be waiting for redress. The system that produced harm may be decommissioned while the consequences remain alive. Accountability must keep both timelines in view: future system replacement and past harm repair.
The supplier transition should include knowledge preservation. Defect histories, support tickets, expert reports, data dictionaries, transaction logs, remote-access records, and audit materials should not disappear during replacement. If future claimants or investigators need to understand Horizon behavior, those records must remain available. A decommissioned system can still be evidence.
Replacement should also ask whether the new system changes the cost-transfer rule. Will branch operators receive clearer audit logs? Will remote support actions be visible? Will discrepancy challenges have an independent route? Will defect notices be disclosed to affected users? Will prosecutions or civil recovery ever rely on system outputs without technical challenge? A new interface without new evidential rules is not enough.
Public procurement should incorporate these lessons. Suppliers bidding for systems that produce evidence against individuals should be required to provide defect-disclosure mechanisms, audit trails, user-visible support logs, expert-evidence protocols, independent review rights, and data-preservation commitments. The procurement test should not only ask whether the system works; it should ask whether the system can be fairly challenged.
The Horizon replacement story is therefore part of prevention, not only operations. A public body that buys a new system without embedding challenge rights has learned too little.
Claimant burden is part of institutional harm
The redress process should not make claimants prove again what the scandal already proved structurally: that institutional reliance on Horizon caused severe injustice. Individual claims will always require evidence, but the design of that evidence burden matters. If claimants are forced to reconstruct decades-old losses with documents that the institution should have preserved, cost is again shifted to the harmed person.
Compensation schemes should begin from trauma-informed design. Some claimants may distrust Post Office, government, lawyers, or suppliers because those institutions previously failed them. Some may lack records because businesses collapsed, families moved, health deteriorated, or years passed. Some may be deceased, leaving families to navigate the process. The scheme should reduce friction where the institution already knows the broad failure context.
Administrative delay is not neutral. Each month of delay can mean continued financial strain, unresolved estates, legal uncertainty, stress, and public frustration. Redress statistics should therefore report not only aggregate payments, but waiting times, pending cases, reasons for delay, appeal outcomes, claimant support, and legal-cost burden. Transparency turns delay into a governable fact.
NAO lessons on compensation schemes matter because redress is a delivery system. A badly designed scheme can re-create institutional imbalance even while intending repair. Complex forms, narrow evidential rules, inconsistent offers, and slow communication can become secondary harm. The same evidential humility required before prosecution should appear in compensation.
Fujitsu's accountability intersects with claimant burden even where government and Post Office administer schemes. If supplier evidence contributed to the original cost transfer, supplier cooperation should help reduce the claimant's burden now. Technical records, defect histories, and system explanations should be made available for redress where relevant. The claimant should not have to rediscover a system the supplier built.
The moral test is whether redress reverses the direction of burden. During the scandal, individuals were made to carry institutional certainty. During compensation, institutions should carry the burden of repair. Anything less leaves the cost-transfer logic intact.
A prevention rule should apply beyond the Post Office
The Horizon lesson should be written as a general institutional rule: no automated, semi-automated, or proprietary system output should be used to impose debt, discipline, prosecution, exclusion, or serious reputational harm unless the affected person can challenge the system meaningfully. That rule belongs in public administration, regulated services, and private platforms where system evidence governs human outcomes.
Meaningful challenge has minimum elements. The person should know the data used. They should know the system version and relevant rules. They should have access to defect information that could affect the case. They should be told whether humans or remote systems could alter the record. They should be able to obtain logs or an independent technical review. They should not have to prove a hidden system wrong without access to the system.
This principle is not anti-technology. Reliable systems can protect people, detect fraud, reduce errors, and improve service. The point is that institutional power grows when systems become evidence. That power needs procedural safeguards. Horizon failed not because technology was used, but because technology was treated as more authoritative than the evidence justified and people were left outside the proof loop.
Boards should therefore ask a simple question of any high-stakes system: can a person challenge this output fairly? If the answer is no, the system should not be used for high-stakes cost transfer. If the answer is yes, the board should ask for proof: audit trails, defect disclosure, appeal pathways, independent review, user notices, and preservation rules.
Suppliers should welcome this rule if they want trustworthy markets. A system that can be challenged fairly is more durable than one defended through opacity. Challenge rights expose defects earlier, reduce catastrophic litigation, and make customers less likely to treat the supplier as a hidden adversary. Trustworthy software is not software no one can question. It is software that survives questioning.
The broader public lesson is that digital evidence is becoming ordinary. That ordinariness makes Horizon more, not less, important. The next cost-transfer scandal may arise from benefits software, tax analytics, payroll automation, predictive policing, hospital billing, platform moderation, or energy metering. The prevention rule should be in place before the next group of individuals is told that the system must be right.
Audit trails should be designed for the person accused
Many audit systems are designed for administrators, suppliers, or internal assurance teams. Horizon shows why high-stakes audit trails should also be designed for the person affected by the output. If a system says a branch is short, the branch operator should be able to see enough of the transaction path, correction path, support path, and exception path to understand the allegation. An audit trail that only the institution can interpret is weak protection.
Person-facing audit does not mean exposing every sensitive system detail. It means giving the affected person a coherent record: the transactions at issue, the time stamps, the reconciliation steps, any centrally initiated changes, known incidents affecting the branch or period, relevant defects, and a route to ask for independent review. The record should be exportable and durable. It should not depend on a local manager's discretion.
Audit trails should also show absence where absence matters. If no remote access occurred, the system should be able to show that. If remote access occurred but did not affect the disputed data, the system should show the boundary. If logs are incomplete, the record should say so. Silence should not be interpreted automatically against the individual.
The design rule is that audit should follow consequence. The more severe the possible consequence, the more transparent and independently reviewable the audit trail must be. A minor internal reconciliation exception may need one level of evidence. A demand that an individual repay thousands of pounds, lose a livelihood, or face criminal suspicion requires much more.
This rule would also improve suppliers' incentives. If audit trails must be usable by accused people, suppliers have to build systems that explain themselves. That may add cost, but it prevents much larger social cost. Systems that cannot generate fair audit trails should not be used to impose high-stakes personal liability.
Civil recovery and prosecution should not share unsafe assumptions
Horizon also warns against letting civil recovery and prosecution reinforce each other through the same untested assumption. If a system output is treated as reliable in a civil demand, that confidence can migrate into disciplinary action or criminal suspicion. If a prosecution treats system records as authoritative, that posture can reinforce civil recovery. The same weak technical premise can travel across legal pathways.
The prevention control is to require independent technical review before escalation. A disputed shortfall should not move from accounting query to debt demand to prosecution without asking whether a system defect, remote action, support intervention, or reconciliation error is a plausible explanation. Each escalation should require a stronger evidential basis than the last.
Civil recovery should also include fairness checks. Did the operator have access to the records needed to challenge the shortfall? Was the operator told about known defects? Were alternative explanations investigated? Were centrally initiated corrections reviewed? Was the amount demanded based on verified loss rather than system confidence? These checks should happen before pressure is applied, not after litigation begins.
Prosecution raises the threshold further. Liberty, reputation, and criminal record are at stake. Disclosure must be proactive. Expert evidence must be cautious. The institution bringing or supporting the case should not be allowed to rely on proprietary complexity as a shield. If the system is too complex to disclose and test, it is too complex to use as decisive criminal evidence.
The same idea applies to internal discipline and contract termination. A sub-postmaster or contractor may be ruined even without conviction if the institution terminates a relationship, withholds pay, or publicizes suspicion based on unreliable system data. High-stakes administrative decisions need their own technical challenge process.
Horizon became catastrophic partly because different accountability channels repeated the same confidence. Future systems should do the opposite: each escalation should reopen the technical question with stronger scrutiny.
Evidence stewardship should survive leadership change
Long-running scandals outlast executives, ministers, supplier managers, lawyers, and IT teams. Evidence stewardship must therefore survive leadership change. Defect records, support tickets, audit logs, board papers, expert reports, and claimant communications should be preserved under a legal and ethical retention plan, not left to departmental habit.
This matters because delayed accountability often depends on old records. A claimant may need evidence years later. A court may revisit a conviction. An inquiry may ask who knew what and when. A replacement programme may need to know which defects harmed users. If records disappear, delay again benefits the institution that controlled the evidence.
Supplier contracts should include post-termination evidence duties. When a supplier is replaced, it should still preserve and provide records relevant to claims, inquiries, and legal review. Public bodies should not lose access to evidence because a commercial relationship ends. Nor should suppliers be able to treat historic defect knowledge as irrelevant once a contract moves on.
Evidence stewardship also requires metadata: who created the record, when, what system version it concerns, which branch or claimant it affects, and whether it has been reviewed. A pile of documents is not the same as usable evidence. The people harmed by Horizon needed usable evidence, not institutional archives that only insiders could decode.
That is why prevention and redress meet in record design. A system that records defects well can prevent unsafe accusations. If prevention fails, the same records can support faster compensation. Poor records fail twice: first when harm occurs, and again when repair is delayed.
Accountability should be designed into the next system
The final Fujitsu lesson is that accountability cannot be bolted onto a replacement system after public anger returns. Challenge rights, audit visibility, defect disclosure, remote-access logs, expert-evidence standards, and compensation evidence preservation should be design requirements from the start. A new platform that repeats old proof asymmetry would modernize the interface while preserving the cost-transfer risk.
Typography
Typography is the art and technique of arranging type to make written language legible, readable, and visually appealing. It involves selecting typefaces, point sizes, line lengths, line-spacing, and letter-spacing.
- Typography originated with the invention of movable type by Johannes Gutenberg in the 15th century.
- Key elements include font selection, kerning, tracking, and leading.
- Good typography enhances readability and conveys mood or tone in design.
The accountability test is prevention before redress
The accountable question after Horizon is not only how much redress is paid or which executives apologize. It is whether institutions now have a prevention rule: do not use a digital system to transfer cost, suspicion, or legal burden onto individuals unless the system's reliability, defects, access paths, and audit limits can be independently challenged.
The public record does not reduce responsibility to Fujitsu alone. Post Office, government, lawyers, auditors, prosecutors, and compensation administrators all had or have roles. Fujitsu's role remains important because suppliers can hold technical knowledge that determines whether system evidence is safe. When that knowledge is not made usable, the people outside the system carry the risk.
For Fujitsu and other suppliers, the lesson is to treat evidential systems as public-interest systems when they can harm individuals. Defect records, audit trails, remote-access logs, expert statements, and uncertainty language should be governed as part of the product's safety record. A system used for accusations is not an ordinary back-office tool.
For public institutions, the lesson is to build independent technical challenge into process. Do not let proprietary systems become unchallengeable witnesses. Do not assume digital outputs are neutral. Do not let compensation design shift proof burdens back onto those already harmed. Do not wait for television drama or years of litigation to make system defects visible.
For individuals affected by automated or semi-automated systems, the lesson is bleak but important: demand the logs, the defect history, the access record, the alternative explanation, and the burden-of-proof rule. A system output is evidence only when it can be tested.
Horizon should be remembered as a cost-transfer scandal because that is what made the technical failure so destructive. Software uncertainty became personal debt, criminal suspicion, and delayed repair. The accountable future is not merely better software. It is a rule that institutions must prove the system before they make the person pay.

