Intel will have to defend itself against claims that the semiconductor giant knew its microprocessors were faulty and failed to notify its customers.
On Wednesday, Judge Michael Simon of the U.S. District Court in Oregon partially denied the tech giant’s motion to dismiss a class action lawsuit stemming from the public disclosure in 2018 of Meltdown and Spectre, the family of errors of microarchitecture design of data leaking chips.
The register The Meltdown story broke on January 2, 2018, as Intel and those who privately reported the security vulnerability prepared to disclose them. The next day, Google’s Project Zero released details about Meltdown and its cousin Spectre, revealing that efforts to speed up CPU cores using speculative execution have opened them up to side-channel attacks capable of read from memory that should be out of reach and divulge confidential information. .
To defend against Meltdown and Spectre, Intel and other affected vendors had to add software and hardware mitigations that, for certain workloads, slightly to significantly slow down patched processors.
Disclosure of related flaws has continued since then, as researchers develop variants of the initial attacks and find other parts of chips that similarly expose privileged data. This is a problem that is still not fully resolved.
Intel, as the largest maker of x86 microprocessors, was hardest hit by the findings: its chips were vulnerable to both Meltdown (along with Arm Cortex-A75 and IBM POWER) and Spectre, while rivals like AMD were only affected by Spectre. Thus, Intel is at the center of numerous litigations: the company faced 32 lawsuits just one month after the vulnerabilities were publicly acknowledged.
These lawsuits have been consolidated into a multidistrict proceeding known as the “Intel Corp. CPU Marketing, Sales Practices and Products Liability Litigation” (3:18-md-02828-SI). And since 2018, Intel has been trying to make them disappear.
Twice before, the judge had dismissed the plaintiffs’ complaint while allowing the plaintiffs to amend and refile their claims. This third time, the judge only partially granted Intel’s motion to dismiss the case.
Judge Simon dismissed purchase-based claims through August 2017 because Intel was unaware of the microarchitecture vulnerabilities up to that point. But it allowed seven claims, from September 2017, to proceed, finding that the plaintiffs’ claim that Intel delayed disclosing the flaws to maximize holiday season sales was plausible enough to allow the business to move forward.
“Based on the plaintiffs’ allegations, it is not clear that Intel had a countervailing business interest other than profit in delaying disclosure for as long as it did (during the holiday season), to minimize the negative effects of the mitigation, to remove the effects of the mitigation, and to continue to prohibit other security exploits that only affect Intel processors,” the judge wrote in his order. [PDF].
“For the seven plaintiffs who purchased computers after September 1, 2017, they have alleged sufficient facts at this stage of the proceeding to survive Intel’s motion to dismiss for failure to file a claim.”
The case is not yet destined to go to trial as there are more procedural steps along this road. The likely exit ramp for Intel, absent other procedural defenses, would be a settlement – a lawsuit is likely to result in significant compensation.
“We are satisfied with the Court’s decision, which found that the allegations we allege show that Intel “took advantage of consumers’ lack of knowledge, such that the resulting unfairness was patently noticeable, egregious, complete and without mitigation,” said Christopher Seeger, an attorney with Seeger Weiss LLP, who is lead counsel for the plaintiffs, in an emailed statement.
“We look forward to advancing this litigation on behalf of consumers and businesses who have found themselves with slower, less secure computers due to defects found in Intel’s processors.”
Intel declined to comment. ®