An inside job and we'll pay you for the contractor so long as you don't let on?

Does not this bespeak a sort of throttled integrity - the sort which would attend coping with an "inside" job, one which could embarrass the university? Briffa?

'No contract exists for this work' ????

I'll give a pound to all my climate-related earnings since 2000 that the f...g contractor has got one! For 10 Grand's worth of work (25 days??) he'd better have. If he's in the habit of doing that amount of work for nothing he'll very soon be a bankrupt but wiser contractor.

Unless there is something even more fishy going on here?

I dread to think how incompetent the combination of Norfolk Plod and UEA could be if they tried to run a scam between them......not that I'm casting aspersions.....but.....

The UEA contracted a forensics report for either the Oxburgh Inquiry or the Muir Russell Review.

I don’t remember seeing this forensics report in any of the documentation for either Oxburgh or Russell, does anybody else?

Could an interested party request the results of the review of UEA's systems under FOI?

Professionalism with Honesty, Integrity, Openness and Impartiality

You bet!

So, the Norfolk police decided to employ a specialist to examine UEA's computers - OK so far.

Then, UEA said to the investigating team: 'no need to bother yourselves boys, we'll employ them instead and send you an invoice'.

What sort of investigator allows that to happen?

Couldn't quite imagine that happening if, say, someone was being investigated for child pornography - err, don't bother sending an expert, I've got a pal who'll do it on your behalf, then I'll bill you for his time.

"The University made their own decision to engage that company to review the security of their system and carry out work on their behalf. The company completed the work and invoiced Norfolk Constabulary"

So who wrote the contract?

Re: Eddie0

"Could an interested party request the results of the review of UEA's systems under FOI?"

If they have disclosed the report to a third party such as Russell of Oxburgh then they would lose the right to claim it is private. Since the billing for the report appears in the ledger for both these inquiries then it would be reasonable to assume it had been disclosed to at least one of them.

This lack of contracts and associated paperwork is surely not permissible under UEA's own financial regulations. Do universities have any form of financial oversight from outside?

I'm a little bit more generous in the interpretation of the response.

I think they are saying:
1. Norfolk Police engaged company "X"
2. UEA engaged company "X"
3. Company "X" billed Norfolk Police for both 1 and 2 (by mistake)
4. Norfolk Police paid Company "X" for both 1 and 2 (by mistake)
5. Norfolk Police realised their mistake and asked UEA for money for 2
6. UEA paid Norfolk Police for 2

What this would mean is that there is no contract between Norfolk Police and UEA regarding the payment.
However, there should be correspondence between the Police and the UEA regarding the payment.

Agree with Latimer.

There should be two contracts, one between Norfolk Constabulary and between the contractor and UEA. If Norfolk Constabulary acted as an agent, intermediary or reseller for their contractor to the UEA, then they probably should have had a contract with the UEA for providing those services. It seems rather unwise if Norfolk ended up liable for work undertaken at the investigation subject's request without any formal contract or agreement regarding the scope or fees for that work.

Ethically it also seems a bit dubious. The police were investigating whether it was a leak or a hack, is it ethical to have the same expert acting for both the investigation, and for the victim. That seems like a pretty clear conflict of interest.

Re TerryS

No self-respecting contractor would agree to do any work, extras or not without a scoping agreement, fees schedule and/or contractor.

|[2]www.norfolk.police.uk |
| |
|Professionalism with Honesty, Integrity, Openness and Impartiality |
+------------------------------------------------------------------------+

They can't catch 'the hacker'. They won't even say whether there was a hacker, or whether 'the miracle' was an internal leak. They refuse to provide any information on the state of their investigation even though, there is still a lot of interest in it from four corners of the world. Though they have acted as middlemen between the University of East Anglia and a private IT security firm and money has been sloshed through Police accounts, they don't want you to know what it is. They seem to be protecting the UEA from further fallout, though this suspicion cannot be confirmed because the Constabulary refuse to cooperate.

The longer this goes on the greater the scrutiny will be on Norfolk Constabulary. This is a test of their professionalism, honesty, integrity, openness and impartiality.

BTW, whoever liberated those emails is a hero. Whoever caused that miracle is an angel.What they did was to carry out an FOI request that the UEA deliberately and unlawfully refused to comply with. Perhaps there is an angel and a hero in the ranks of Norfolk Constabulary as well.

@Terry S

So you need three parties to all have identically incompetent admin staff?

1. Contractor has to invoice plod for work done for UEA (Mistake 1)
2 Plod has to pay against no valid contract (Big mistake 2)
3. Plod raises invoice to UEA against non-existent contract between UEA and Plod. and UEA pays it (3).Or voluntarily pays it against no invoice (Big mistake 3)

Our venerated host here is I believe an accountant outside of his pastoral and authorial duties and may be able to comment further, but it seems that some or all of these institutions will not have their books in good auditable order.

Couple this with the unconscionable length of time that the constabulary have taken not to conclude the climategate investiagtion and it all stinks. Possibly there is an innocent explanation, but (as usual) they are not going out of their way to present it.

Oh for a Deep Throat! And all we have is Deep Climate. Not even Deep Thought :-(

What we want to know is where we are after this almost 17 month enquiry.

maybe some UEA climate scientist has a sideline business as an IT Security expert . . .

Liberate the Liberator. How cold does it have to get before the Liberator's heroism is acknowledged?
======================

Re Atomic Hairdryer

"No self-respecting contractor would agree to do any work, extras or not without a scoping agreement, fees schedule and/or contractor."

Yes I agree. But if I am correct in the interpretation then all those documents exists between the UEA and company "X", not between the UEA and Police. The only documents that would exist between the Police and the UEA would be along the lines of:

Police -> UEA: We got billed by "X" for work they did for you and paid it.
UEA -> Police: Oops. Send us an invoice and we will reimburse you.

What should have happened is that the Police should have obtained a refund from company "X". Company "X" should have then invoiced UEA. UEA then pays company "X". In that way the payment appears on the ledger as a payment to company "X" instead of a Payment to Norfolk Police.

An unusual sequence of events, yes, but having had to open up to the polices "expert", it is not suspicious, that UEA then decided to retain their services too.

That UEA had to pick up the bill submitted to the police suggests there was no indication that a crime had been committed, victims of crime are not normally expected to pay for the investigation are they?

That UEA coughed up, also implies that they have sufficient evidence to know that no crime had been committed

It also occurs to me that under the circs described any work the contractor undertook on behalf of UEA would have been at his own risk since any liability insurance he may have had would be void (no contract). Such insurance normally covers losses up to 5 or 10 mill.

So it would be a completely daft and self-destructive thing for a contractor to do. And pretty dumb of Trev Davies and Ed Acton to have let him. The former is very unlikely...but the latter is very plausible...hmmmmm?

As Alice said, 'Curiouser and curiouser!'
The entire story sounds very wrong to me, but, hey, I'm only a bloody taxpayer who is allowed no latitude whatsoever, by Uncle Tom Cobbley and all. And if some dear soul attempts to convince me that all universities and all policemen are utterly incorruptable...

Re Latimer:

Norfolk Police (NP) will have raised a purchase order number (PON) with company X for the work NP want carryingout. The only mistake necessary is for company X to invoice NP, for the work they carried out for the UEA, using the PON assigned to them for NP's work.
NP admin would look at the PON on the invoice, see it was valid and would then pay it. This would not be a mistake because, from the admin's perspective, it is a legitimate invoice with a legitimate PON.
The invoice from the NP to the UEA and the payment from the UEA to the NP is not a mistake, it is correcting a mistake.

I have followed this saga with slack-jawed amazement. NOTHING ever seems to be completely transparent or above board with this lot. Even the simplest of matters is swirl of smoke and mirrors.
The default setting is always to muddy and obscure.
Kudos to those who do not let up in their search for what is really going on. You have a lot more patience than me.

Re TerryS

It's more that there should have been no 'oops'. Police use outside forensics, that's no suprise, they have to given forensic services are mostly privatised. That bit of the job would be done under whatever contract the police had with the supplier/contractor. If the UEA wanted extra work done, they should have contracted seperately with the contractor to avoid COI, liability etc. If the police were acting as agent or reseller for the contractor, then there should have been a contract between the police and UEA for the services supplied, but then see also problems with the police acting as agents, approvers, recommenders for locks, alarm systems etc etc.

This really is straining the already thin credibility of these two 'institutions'.

The incompetence theory is all very well until we are asked to put our faith in the competence of the incompetent. And both UEA and Norfolk police are either useless or in cahoots.

Surely they know who is responsible for the leak after seventeen months?

There is something highly unusual in my view (ex police officer and solicitor) in a state investigator investigating a complaint and then receiving payment from the complainant in whatever form, even, as has been speculated, as an agent. Even were the investigating contractor to have been able to work for the police and was then subsequently engaged by the complainant, there is no basis that I can see that would be appropriate for invoices for the work for the complainaint to be channelled through the police. This apears to have all the hallmarks of the usual public service/sector utter failure to foster the absolutely essential perception of independence. In the public sphere one must not just be independent, but one must be seen to be so. It is such a basic tenet of public governance and accountability that I despiar to see it so regularly abused (IPCC, etc.)

Surely the guy you are looking for is Peter Somner of the London School of Economics, who was contracted to look at the backup server by the Russell inquiry? IIRC, he analysed the physical server (ie "evidence") in a secure location with limited access, rather than imaging the disks, and analysing in comfort. He wasn't even allowed to use computer forensic software tools.

The company is probably his contracting company.

Perhaps we should approach this mystery from another angle.

We need to identify the forensic computer systems experts.

Is there a "Wishee Washee Data Laundry Co." in the Norwich Yellow Pages?

Re: Atomic

Whilst conducting their investigation into the access to and downloading of data from the
computers at the University of East Anglia, the Major Investigation Team engaged the services of a company with the ability to forensically examine the computer system.

The Police hire company X to do forensics work.

The University made their own decision to engage that company to review the security of their system and carry out work on their behalf.

The UEA also hires company X

The company completed the work and invoiced Norfolk Constabulary for all of the work undertaken,

Company X bills the Police for the work carried out on behalf of the Police and the UEA. This was a mistake by the police.

and UEA reimbursed Norfolk Constabulary for the work that had been completed at their request.

The Police realised they had paid for work performed on behalf of the UEA and got the UEA to reimburse them.

There is no contract between the UEA and the Police. It was a simple mistake by company X.

The real questions are:
1. What does the report by company X say?
2. Since they got the report, how has the UEA officially referred to the emails?
3. Did the UEA show the report to either Russell or Oxburgh?

Correction:
"this was a mistake by the Police" should be "this was a mistake by X"

The police out there are Norfolk 'n' good !

As TerryS and others point out, this arrangement leads to conflicts of interest that may be hiding the truth here.

Out, out damned spot. Can they be relieved of their left hands, these thieves?
==================

@terry

'it was a simple mistake by company X'

No. Maybe there was originally a simple mistake. But it was compounded by both other parties agreeing to participate in 'unnatural acts' to reverse this mistake.

There are easy and conventional ways to put it right... a credit note to balance the books at plod, and a new invoice to balance the books at UEA. One has to speculate why they didn't choose to do that and instead went about it in this bizarre way leaving no paperwork.

Sorry Your Grace. Not trying to steal your thunder. Just crossed in the post.

Re TerryS

The UEA doesn't seem to have hired 'company X', and 'company X' should only have performed the work they were hired to do by the client they had the contract with. There should have been no 'oops' unless there was very poor administration.

As for who company X was, that's Qinetiq:

http://www.cce-review.org/evidence/Report%20on%20email%20extraction.pdf

I have also been supplied by
Norfolk Police with three further “thumb drives” containing the emails extracted from the
back-up server associated with the computers of the researchers in question. The
extraction was carried out by Qinetiq, as contractors to Norfolk Police

Qinetiq has several practice groups, and offer IT security audits and services. If UEA wanted that work done, they should have contracted directly with Qinetiq to keep it slightly at arms length from the police investigation.

I find the thought very intriguing, and I'm not alone, that the Norfolk Constabulary have identified the Liberator. It's going to be a very fascinating and revelatory story about why they have not publicly identified this hero.
============

Heh, it's probably pending the great difficulty of arranging a new secret life for the Liberator. Where do you hide someone half the world would like to quarter and the other half to put on a pedestal?
============

Maybe someone from Norwich FC could advise on how the local police invoice for their services, regarding crowd control, assuming there are crowds that need controlling

Re: Bishop Hill

> Otherwise everybody's VAT is wrong

The VAT all balances out unless either the Norfolk Police or the UEA are on the Flat Rate Scheme and that could only happen if their turnover is less the £150k

> Still intrigued by the fact that UEA thought they had paid Norfolk Police Authority.

They did pay the Norfolk Police. The response says that the UEA reimbursed them.

'Maybe someone from Norwich FC could advise on how the local police invoice for their services, regarding crowd control, assuming there are crowds that need controlling'

We know NCFC do crowd control. St Delia did it 'after lunch' one day.

http://www.youtube.com/watch?v=Z_8JLkwzpd0

Payment strictly by the glass.....

Re: atomic

> The UEA doesn't seem to have hired 'company X

From the response:

The University made their own decision to engage that company to review the security of their system and carry out work on their behalf.

Sounds like they hired them to me.

This tells me that no charges will be pressed, on the basis of any evidence gathered by the 3rd party forensic team.

The police and UEA have entered a client/vendor arrangement, thus any evidence as a result is useless. Or at the very least, would be looked at very skeptically by a judge or jury, because of Conflict of Interest.

The chain of evidence would also be strongly contested, in this arrangement.

Its kind of a simile for climate change, isn't it?

Who is to investigate the investigators?

Who is to bell the mice?
==================

At the very least, the company doing the forensics on the server should have refused to do any work on them for the UEA.

It clearly compromises the provenance of any findings since one of the suspects (the UEA itself via one of its employees) has payed money to the forensics company.

@terry s

If indeed UEA hired Qinetic, how did Qinetic know they were hired? There is no contract.

Dunno about you but if I went swanning off to work somewhere with no contract signed, my admin/contract/billing people would get pretty upset. As would my principal.

So if the UEA paid for this, can they be FOI'd for the results of the examination? Or have I got this wrong? It does seem odd.

Is there no conflict of interest in company X working for the police and being "engaged" by the UEA "to review the security of their system and carry out work on their behalf"?

Couldn't QinetiQ find itself in the situation of having to tell the police something that could have negatively impacted their current and future work at UEA?