Over the past few days, three class action lawsuits were launched against Intel in California, Oregon, and Indiana. The consumers who participated in the lawsuits argue that when they purchased the processors they were promised a certain level of performance. The Meltdown and Spectre patches seem to degrade performance at least in certain workloads, as acknowledged by Intel, so they now seek compensation.
“Defective” Chips
The plaintiffs in all three lawsuits argued that Intel has been advertising “defective” chips to them for at least the past 10 years. The Spectre flaw in particular comes from the design Intel chose for its chips a long time ago, perhaps to the detriment of security.
The "speculative execution" design allows Intel’s chips to “predict” which operation it needs to run next so that code is standing by, waiting to be fetched. However, Intel’s chips could also fetch security-sensitive code this way, which means attackers could exploit this design flaw to extract the same data from the CPU’s execution process through innocuous JavaScript code.
It’s not clear whether or not Intel knew about the compromise in security when it chose this design, or perhaps it didn’t think this would be an issue at the time, as the attack may have been considered extraordinarily difficult to carry out.
Either way, the plaintiffs also argue that Intel has known for months about the two bugs (after Google disclosed it to them earlier this year), but continued to advertise those “defective” CPUs with the same performance Intel originally claimed they have, before they knew about the vulnerabilities.
However, we know now that the software patches for Meltdown and Spectre flaws can affect at least some workloads. Red Hat, a Linux-based product and services vendor, recently benchmarked its systems after applying the patches and noticed a performance degradation anywhere from 2%-19%, depending on the workload.
The plaintiffs argue that they didn’t know their chips would end-up being to up to 30% slower (as some of the initial rumors and benchmarks claimed at the time the lawsuits were launched) when they purchased them. The plaintiffs argue that had they known about the defects, they may not have purchased Intel’s chips in the first place. Therefore, now they deserve compensation for their purchases.
What Happens Next?
Class action lawsuits aren’t all that uncommon in the U.S. whenever a certain flaw in a mass-market product appears, because there’s always the potential for compensation for those who participate in the lawsuits, including for the lawyers themselves.
Intel will likely continue to promote the argument that the majority of consumers are unaffected by the Meltdown and Spectre patches, but it remains to be seen how the juries and judges will see this. After all, not everyone uses their computers to only browse Facebook.
At least a small percentage of users might be using their Intel chips to launch virtual machines on their computers (as a way to browse safely on the internet, for instance), or test their websites on a local web server, and so on. These are the type of users who would be most affected by the patches, and they could tip the balance in favor of the plaintiffs and against Intel in the lawsuits.
For now, there don’t seem to be any lawsuits started by hosting or cloud services companies. These companies could arguably make an even better and more clear-cut case that the Intel chips have now increased their businesses' operational costs, and they could be demanding compensation for that. However, at least the big cloud players seem to be claiming that the patches don’t affect them too much.
Virtually all cloud players rely on Intel’s chips to run their businesses, although AMD’s EPYC and Qualcomm and Cavium’s ARM server chips have slowly started to encroach on Intel’s territory in the past year.
A Focus On Better Chip Security?
The fact that most of the chip makers (with the exception of RISC-V chips) seem to be affected at least in part by Spectre, as well as the lawsuits we’re now seeing launched against Intel, could convince chip makers that they need to optimize their chips for security more, rather than chasing higher performance at all costs.
The RISC-V Foundation said that its focus on security from the ground-up was part of the reason why all the RISC-V chips were completely unaffected by Meltdown and Spectre.
