Click images for more details



Recent comments
Recent posts
Currently discussing

A few sites I've stumbled across recently....

Powered by Squarespace
« A meeting of moderates | Main | Leo Hickman on peace talks »

What's up with Norfolk Police?

A few weeks back I got some general ledger details from UEA and we discovered, among other things, that UEA had made a big payment to Norfolk Police Authority. The police authority is the body that oversees the constabulary, which I thought was rather odd.

I therefore put in an FOI asking them for a copy of the invoice plus any related correspondence. The immediate response was slightly strange in that I was passed straight on to Norfolk Constabulary's FOI department. At the time I assumed that Norfolk Police Authority and the Constabulary itself must share financial ledgers. I thought nothing else of it.

However, today the response has come back.

In the context of a request under the Freedom of Information Act being for information not 
documents, as you have detailed above, you are already in possession of the invoice information between Norfolk Police Authority and the University of East Anglia.  Please see below an explanatory statement regarding this payment.  No contract exists in relation to this work.   
Whilst conducting their investigation into the access to and downloading of data from the 
computers at the University of East Anglia, the Major Investigation Team engaged the services of a company with the ability to forensically examine the computer system. The University made their  own decision to engage that company to review the security of their system and carry out work on their behalf. The company completed the work and invoiced Norfolk Constabulary for all of the work undertaken, and UEA reimbursed Norfolk Constabulary for the work that had been completed at their request.

So, they are not letting me see the actual invoice and they are not saying anything at all about the related correspondence.

The story about this representing a recharge for computer forensics is strange too. We have seen in the UEA disclosure some costs for computer forensics, although only £5k or so.

Does this make anyone else a bit uncomfortable?

PrintView Printer Friendly Version

Reader Comments (121)

An inside job and we'll pay you for the contractor so long as you don't let on?

Jun 22, 2011 at 10:55 AM | Unregistered Commenteralistair

Does not this bespeak a sort of throttled integrity - the sort which would attend coping with an "inside" job, one which could embarrass the university? Briffa?

Jun 22, 2011 at 10:59 AM | Unregistered Commenterj ferguson

'No contract exists for this work' ????

I'll give a pound to all my climate-related earnings since 2000 that the f...g contractor has got one! For 10 Grand's worth of work (25 days??) he'd better have. If he's in the habit of doing that amount of work for nothing he'll very soon be a bankrupt but wiser contractor.

Unless there is something even more fishy going on here?

I dread to think how incompetent the combination of Norfolk Plod and UEA could be if they tried to run a scam between them......not that I'm casting aspersions.....but.....

Jun 22, 2011 at 11:09 AM | Unregistered CommenterLatimer Alder

The UEA contracted a forensics report for either the Oxburgh Inquiry or the Muir Russell Review.

I don’t remember seeing this forensics report in any of the documentation for either Oxburgh or Russell, does anybody else?

Jun 22, 2011 at 11:10 AM | Unregistered CommenterTerryS

Could an interested party request the results of the review of UEA's systems under FOI?

Jun 22, 2011 at 11:18 AM | Unregistered CommenterEddieO

Professionalism with Honesty, Integrity, Openness and Impartiality

You bet!

Jun 22, 2011 at 11:18 AM | Unregistered CommenterKon Dealer

So, the Norfolk police decided to employ a specialist to examine UEA's computers - OK so far.

Then, UEA said to the investigating team: 'no need to bother yourselves boys, we'll employ them instead and send you an invoice'.

What sort of investigator allows that to happen?

Couldn't quite imagine that happening if, say, someone was being investigated for child pornography - err, don't bother sending an expert, I've got a pal who'll do it on your behalf, then I'll bill you for his time.

Jun 22, 2011 at 11:21 AM | Unregistered CommenterDougS

"The University made their own decision to engage that company to review the security of their system and carry out work on their behalf. The company completed the work and invoiced Norfolk Constabulary"

So who wrote the contract?

Jun 22, 2011 at 11:24 AM | Unregistered CommenterJames P

Re: Eddie0

"Could an interested party request the results of the review of UEA's systems under FOI?"

If they have disclosed the report to a third party such as Russell of Oxburgh then they would lose the right to claim it is private. Since the billing for the report appears in the ledger for both these inquiries then it would be reasonable to assume it had been disclosed to at least one of them.

Jun 22, 2011 at 11:24 AM | Unregistered CommenterTerryS

This lack of contracts and associated paperwork is surely not permissible under UEA's own financial regulations. Do universities have any form of financial oversight from outside?

Jun 22, 2011 at 11:28 AM | Unregistered CommenterMessenger

I'm a little bit more generous in the interpretation of the response.

I think they are saying:
1. Norfolk Police engaged company "X"
2. UEA engaged company "X"
3. Company "X" billed Norfolk Police for both 1 and 2 (by mistake)
4. Norfolk Police paid Company "X" for both 1 and 2 (by mistake)
5. Norfolk Police realised their mistake and asked UEA for money for 2
6. UEA paid Norfolk Police for 2

What this would mean is that there is no contract between Norfolk Police and UEA regarding the payment.
However, there should be correspondence between the Police and the UEA regarding the payment.

Jun 22, 2011 at 11:32 AM | Unregistered CommenterTerryS

Agree with Latimer.

There should be two contracts, one between Norfolk Constabulary and between the contractor and UEA. If Norfolk Constabulary acted as an agent, intermediary or reseller for their contractor to the UEA, then they probably should have had a contract with the UEA for providing those services. It seems rather unwise if Norfolk ended up liable for work undertaken at the investigation subject's request without any formal contract or agreement regarding the scope or fees for that work.

Ethically it also seems a bit dubious. The police were investigating whether it was a leak or a hack, is it ethical to have the same expert acting for both the investigation, and for the victim. That seems like a pretty clear conflict of interest.

Jun 22, 2011 at 11:37 AM | Unregistered CommenterAtomic Hairdryer

Re TerryS

No self-respecting contractor would agree to do any work, extras or not without a scoping agreement, fees schedule and/or contractor.

Jun 22, 2011 at 11:38 AM | Unregistered CommenterAtomic Hairdryer

|[2] |
| |
|Professionalism with Honesty, Integrity, Openness and Impartiality |

They can't catch 'the hacker'. They won't even say whether there was a hacker, or whether 'the miracle' was an internal leak. They refuse to provide any information on the state of their investigation even though, there is still a lot of interest in it from four corners of the world. Though they have acted as middlemen between the University of East Anglia and a private IT security firm and money has been sloshed through Police accounts, they don't want you to know what it is. They seem to be protecting the UEA from further fallout, though this suspicion cannot be confirmed because the Constabulary refuse to cooperate.

The longer this goes on the greater the scrutiny will be on Norfolk Constabulary. This is a test of their professionalism, honesty, integrity, openness and impartiality.

BTW, whoever liberated those emails is a hero. Whoever caused that miracle is an angel.What they did was to carry out an FOI request that the UEA deliberately and unlawfully refused to comply with. Perhaps there is an angel and a hero in the ranks of Norfolk Constabulary as well.

Jun 22, 2011 at 11:39 AM | Unregistered CommentersHx

@Terry S

So you need three parties to all have identically incompetent admin staff?

1. Contractor has to invoice plod for work done for UEA (Mistake 1)
2 Plod has to pay against no valid contract (Big mistake 2)
3. Plod raises invoice to UEA against non-existent contract between UEA and Plod. and UEA pays it (3).Or voluntarily pays it against no invoice (Big mistake 3)

Our venerated host here is I believe an accountant outside of his pastoral and authorial duties and may be able to comment further, but it seems that some or all of these institutions will not have their books in good auditable order.

Couple this with the unconscionable length of time that the constabulary have taken not to conclude the climategate investiagtion and it all stinks. Possibly there is an innocent explanation, but (as usual) they are not going out of their way to present it.

Oh for a Deep Throat! And all we have is Deep Climate. Not even Deep Thought :-(

Jun 22, 2011 at 11:47 AM | Unregistered CommenterLatimer Alder

What we want to know is where we are after this almost 17 month enquiry.

Jun 22, 2011 at 11:51 AM | Unregistered CommenterRB

maybe some UEA climate scientist has a sideline business as an IT Security expert . . .

Jun 22, 2011 at 11:51 AM | Unregistered CommenterFred from Canuckistan

Liberate the Liberator. How cold does it have to get before the Liberator's heroism is acknowledged?

Jun 22, 2011 at 11:52 AM | Unregistered Commenterkim

Re Atomic Hairdryer

"No self-respecting contractor would agree to do any work, extras or not without a scoping agreement, fees schedule and/or contractor."

Yes I agree. But if I am correct in the interpretation then all those documents exists between the UEA and company "X", not between the UEA and Police. The only documents that would exist between the Police and the UEA would be along the lines of:

Police -> UEA: We got billed by "X" for work they did for you and paid it.
UEA -> Police: Oops. Send us an invoice and we will reimburse you.

What should have happened is that the Police should have obtained a refund from company "X". Company "X" should have then invoiced UEA. UEA then pays company "X". In that way the payment appears on the ledger as a payment to company "X" instead of a Payment to Norfolk Police.

Jun 22, 2011 at 11:54 AM | Unregistered CommenterTerryS

An unusual sequence of events, yes, but having had to open up to the polices "expert", it is not suspicious, that UEA then decided to retain their services too.

That UEA had to pick up the bill submitted to the police suggests there was no indication that a crime had been committed, victims of crime are not normally expected to pay for the investigation are they?

That UEA coughed up, also implies that they have sufficient evidence to know that no crime had been committed

Jun 22, 2011 at 11:55 AM | Unregistered Commentergolf charley

It also occurs to me that under the circs described any work the contractor undertook on behalf of UEA would have been at his own risk since any liability insurance he may have had would be void (no contract). Such insurance normally covers losses up to 5 or 10 mill.

So it would be a completely daft and self-destructive thing for a contractor to do. And pretty dumb of Trev Davies and Ed Acton to have let him. The former is very unlikely...but the latter is very plausible...hmmmmm?

Jun 22, 2011 at 11:56 AM | Unregistered CommenterLatimer Alder

As Alice said, 'Curiouser and curiouser!'
The entire story sounds very wrong to me, but, hey, I'm only a bloody taxpayer who is allowed no latitude whatsoever, by Uncle Tom Cobbley and all. And if some dear soul attempts to convince me that all universities and all policemen are utterly incorruptable...

Jun 22, 2011 at 11:58 AM | Unregistered CommenterAlexander K

Re Latimer:

Norfolk Police (NP) will have raised a purchase order number (PON) with company X for the work NP want carryingout. The only mistake necessary is for company X to invoice NP, for the work they carried out for the UEA, using the PON assigned to them for NP's work.
NP admin would look at the PON on the invoice, see it was valid and would then pay it. This would not be a mistake because, from the admin's perspective, it is a legitimate invoice with a legitimate PON.
The invoice from the NP to the UEA and the payment from the UEA to the NP is not a mistake, it is correcting a mistake.

Jun 22, 2011 at 12:06 PM | Unregistered CommenterTerryS

I have followed this saga with slack-jawed amazement. NOTHING ever seems to be completely transparent or above board with this lot. Even the simplest of matters is swirl of smoke and mirrors.
The default setting is always to muddy and obscure.
Kudos to those who do not let up in their search for what is really going on. You have a lot more patience than me.

Jun 22, 2011 at 12:07 PM | Unregistered CommenterJack Savage

Re TerryS

It's more that there should have been no 'oops'. Police use outside forensics, that's no suprise, they have to given forensic services are mostly privatised. That bit of the job would be done under whatever contract the police had with the supplier/contractor. If the UEA wanted extra work done, they should have contracted seperately with the contractor to avoid COI, liability etc. If the police were acting as agent or reseller for the contractor, then there should have been a contract between the police and UEA for the services supplied, but then see also problems with the police acting as agents, approvers, recommenders for locks, alarm systems etc etc.

Jun 22, 2011 at 12:11 PM | Unregistered CommenterAtomic Hairdryer

This really is straining the already thin credibility of these two 'institutions'.

The incompetence theory is all very well until we are asked to put our faith in the competence of the incompetent. And both UEA and Norfolk police are either useless or in cahoots.

Surely they know who is responsible for the leak after seventeen months?

Jun 22, 2011 at 12:11 PM | Unregistered CommenterStuck-record

There is something highly unusual in my view (ex police officer and solicitor) in a state investigator investigating a complaint and then receiving payment from the complainant in whatever form, even, as has been speculated, as an agent. Even were the investigating contractor to have been able to work for the police and was then subsequently engaged by the complainant, there is no basis that I can see that would be appropriate for invoices for the work for the complainaint to be channelled through the police. This apears to have all the hallmarks of the usual public service/sector utter failure to foster the absolutely essential perception of independence. In the public sphere one must not just be independent, but one must be seen to be so. It is such a basic tenet of public governance and accountability that I despiar to see it so regularly abused (IPCC, etc.)

Jun 22, 2011 at 12:26 PM | Unregistered CommenterRB

Surely the guy you are looking for is Peter Somner of the London School of Economics, who was contracted to look at the backup server by the Russell inquiry? IIRC, he analysed the physical server (ie "evidence") in a secure location with limited access, rather than imaging the disks, and analysing in comfort. He wasn't even allowed to use computer forensic software tools.

The company is probably his contracting company.

Jun 22, 2011 at 12:28 PM | Unregistered CommenterDead Dog Bounce

Perhaps we should approach this mystery from another angle.

We need to identify the forensic computer systems experts.

Is there a "Wishee Washee Data Laundry Co." in the Norwich Yellow Pages?

Jun 22, 2011 at 12:28 PM | Unregistered CommenterMartin Brumby

Re: Atomic

Whilst conducting their investigation into the access to and downloading of data from the
computers at the University of East Anglia, the Major Investigation Team engaged the services of a company with the ability to forensically examine the computer system.

The Police hire company X to do forensics work.

The University made their own decision to engage that company to review the security of their system and carry out work on their behalf.

The UEA also hires company X

The company completed the work and invoiced Norfolk Constabulary for all of the work undertaken,

Company X bills the Police for the work carried out on behalf of the Police and the UEA. This was a mistake by the police.

and UEA reimbursed Norfolk Constabulary for the work that had been completed at their request.

The Police realised they had paid for work performed on behalf of the UEA and got the UEA to reimburse them.

There is no contract between the UEA and the Police. It was a simple mistake by company X.

The real questions are:
1. What does the report by company X say?
2. Since they got the report, how has the UEA officially referred to the emails?
3. Did the UEA show the report to either Russell or Oxburgh?

Jun 22, 2011 at 12:28 PM | Unregistered CommenterTerryS

"this was a mistake by the Police" should be "this was a mistake by X"

Jun 22, 2011 at 12:29 PM | Unregistered CommenterTerryS

The police out there are Norfolk 'n' good !

Jun 22, 2011 at 12:31 PM | Unregistered CommenterRogerT

As TerryS and others point out, this arrangement leads to conflicts of interest that may be hiding the truth here.

Out, out damned spot. Can they be relieved of their left hands, these thieves?

Jun 22, 2011 at 12:33 PM | Unregistered Commenterkim

This isn't quite right. If you bill somebody in error you issue a credit note and rebill the correct person. Otherwise everybody's VAT is wrong. This implies that Norfolk Constabulary were providing services to UEA. Still intrigued by the fact that UEA thought they had paid Norfolk Police Authority.

Jun 22, 2011 at 12:35 PM | Registered CommenterBishop Hill


'it was a simple mistake by company X'

No. Maybe there was originally a simple mistake. But it was compounded by both other parties agreeing to participate in 'unnatural acts' to reverse this mistake.

There are easy and conventional ways to put it right... a credit note to balance the books at plod, and a new invoice to balance the books at UEA. One has to speculate why they didn't choose to do that and instead went about it in this bizarre way leaving no paperwork.

Jun 22, 2011 at 12:36 PM | Unregistered CommenterLatimer Alder

Sorry Your Grace. Not trying to steal your thunder. Just crossed in the post.

Jun 22, 2011 at 12:37 PM | Unregistered CommenterLatimer Alder

Re TerryS

The UEA doesn't seem to have hired 'company X', and 'company X' should only have performed the work they were hired to do by the client they had the contract with. There should have been no 'oops' unless there was very poor administration.

As for who company X was, that's Qinetiq:

I have also been supplied by
Norfolk Police with three further “thumb drives” containing the emails extracted from the
back-up server associated with the computers of the researchers in question. The
extraction was carried out by Qinetiq, as contractors to Norfolk Police

Qinetiq has several practice groups, and offer IT security audits and services. If UEA wanted that work done, they should have contracted directly with Qinetiq to keep it slightly at arms length from the police investigation.

Jun 22, 2011 at 12:41 PM | Unregistered CommenterAtomic Hairdryer

I find the thought very intriguing, and I'm not alone, that the Norfolk Constabulary have identified the Liberator. It's going to be a very fascinating and revelatory story about why they have not publicly identified this hero.

Jun 22, 2011 at 12:43 PM | Unregistered Commenterkim

Heh, it's probably pending the great difficulty of arranging a new secret life for the Liberator. Where do you hide someone half the world would like to quarter and the other half to put on a pedestal?

Jun 22, 2011 at 12:45 PM | Unregistered Commenterkim

Maybe someone from Norwich FC could advise on how the local police invoice for their services, regarding crowd control, assuming there are crowds that need controlling

Jun 22, 2011 at 12:45 PM | Unregistered Commentergolf charley

Re: Bishop Hill

> Otherwise everybody's VAT is wrong

The VAT all balances out unless either the Norfolk Police or the UEA are on the Flat Rate Scheme and that could only happen if their turnover is less the £150k

> Still intrigued by the fact that UEA thought they had paid Norfolk Police Authority.

They did pay the Norfolk Police. The response says that the UEA reimbursed them.

Jun 22, 2011 at 12:51 PM | Unregistered CommenterTerryS

'Maybe someone from Norwich FC could advise on how the local police invoice for their services, regarding crowd control, assuming there are crowds that need controlling'

We know NCFC do crowd control. St Delia did it 'after lunch' one day.

Payment strictly by the glass.....

Jun 22, 2011 at 12:51 PM | Unregistered CommenterLatimer Alder

Re: atomic

> The UEA doesn't seem to have hired 'company X

From the response:

The University made their own decision to engage that company to review the security of their system and carry out work on their behalf.

Sounds like they hired them to me.

Jun 22, 2011 at 12:55 PM | Unregistered CommenterTerryS

This tells me that no charges will be pressed, on the basis of any evidence gathered by the 3rd party forensic team.

The police and UEA have entered a client/vendor arrangement, thus any evidence as a result is useless. Or at the very least, would be looked at very skeptically by a judge or jury, because of Conflict of Interest.

The chain of evidence would also be strongly contested, in this arrangement.

Its kind of a simile for climate change, isn't it?

Jun 22, 2011 at 1:02 PM | Unregistered CommenterLes Johnson

Hard to imagine Qinetic making a billing error like this.

Jun 22, 2011 at 1:04 PM | Registered CommenterBishop Hill

Who is to investigate the investigators?

Who is to bell the mice?

Jun 22, 2011 at 1:07 PM | Unregistered Commenterkim

At the very least, the company doing the forensics on the server should have refused to do any work on them for the UEA.

It clearly compromises the provenance of any findings since one of the suspects (the UEA itself via one of its employees) has payed money to the forensics company.

Jun 22, 2011 at 1:08 PM | Unregistered CommenterTerryS

@terry s

If indeed UEA hired Qinetic, how did Qinetic know they were hired? There is no contract.

Dunno about you but if I went swanning off to work somewhere with no contract signed, my admin/contract/billing people would get pretty upset. As would my principal.

Jun 22, 2011 at 1:12 PM | Unregistered CommenterLatimer Alder

So if the UEA paid for this, can they be FOI'd for the results of the examination? Or have I got this wrong? It does seem odd.

Jun 22, 2011 at 1:14 PM | Unregistered CommenterRoss H

Is there no conflict of interest in company X working for the police and being "engaged" by the UEA "to review the security of their system and carry out work on their behalf"?

Couldn't QinetiQ find itself in the situation of having to tell the police something that could have negatively impacted their current and future work at UEA?

Jun 22, 2011 at 1:14 PM | Unregistered CommenterMaurizio Morabito

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>