CTIA Logo

Smart Phone Check Initiative RFP Q & A

  1. Is it intended that the “Device Blacklist Source Database(s)” as referred to in various sections of the RFP will be provided by the US carriers directly to the ultimate provider of the system?Answer: Many carriers are the originators of the information regarding whether a mobile device is reported lost or stolen. That information is provided to central source databases as indicated in the RFP. The Portal is not intended to replicate or duplicate existing databases, but instead to aggregate information from existing source databases and make the information available through the portal as outlined in the RFP.
  2. If not is it intended for the GSMA to provide this blacklist?Answer: As indicated above, the portal is not intended to replicate or duplicate existing source databases, but instead to aggregate information from them. The GSMA database is one such database that contains information about the status of whether a mobile device may have been reported to a carrier as lost or stolen.
  3. If the answer to 1 above is “Yes" what will the cost and terms of that supply be?Answer: Respondents to the RFP are expected to propose one or more business models to address the long term viability of the portal on a “cost recovery” basis. Costs associated with access to information from source databases should be considered as part of the RFP response.
  4. If it is intended for the GSMA to be the supplier what will the cost and terms of that supply be?Answer: See answer above.
  5. Depending on the answers to the above questions will the CTIA facilitate the provision of this data or will it be up to the provider of the system to negotiate for the provision with the data suppliers?Answer: Each respondent should address the question of proposed business model for the long term viability of the portal, including any requirements that CTIA would need to address as part of the business model being proposed.
  6. Page 12, Section 3.4.2 item 1b: does the parenthetical "IMEI without check digit" mean "not including the MEID check digit"? Answer: Yes, that is correct.
  7. Page 10, Section 3.1.2 “Law Enforcement Access” – How must the MDIP vendor “substantiate an agency’s identity and authority as a Law Enforcement Agency”?Answer: That will be addressed in the outreach CTIA contemplates with law enforcement.
  8. Page 11, Section 3.1.3 “Commercial Access” – How must the MDIP vendor “substantiate a corporate identity”?Answer:That will be addressed in the outreach CTIA contemplates to commercial entities.
  9. Page 16, Section 3.5 Are arrangements to incorporate the GSMA blacklist as a data source being handled by CTIA?Answer: No, the MDIP vendor is expected to provide recommendations for the availability of blacklist datasources, including GSMA if needed.
  10. Page 14, Section 3.4.3.2 “Commercial Response” – Are arrangements to incorporate the GSMA TAC data as augmented information for LEA and reseller user types being handled by CTIA?Answer: No, the MDIP vendor is expected to provide recommendations for the availability of augmented information.
  11. Is it intended that the MDIP is “CTIA-branded” with the provider’s name and brand not appearing on the portal?Answer: Yes, the MDIP will be CTIA branded. Additional branding by the Portal provider is a possible topic for discussion.
  12. Will CTIA provide the information to end users with the provision effectively sub-contracted out to the proposer under the RFP? Or is it intended that the “contract” for the user is with the proposer?Answer: Yes, CTIA will contract for the implementation of the MDIP to make aggregated information available. To the extent contracts are needed with some users (e.g. commercial entities), CTIA will be responsible for such.
  13. Section 2.1 indicates that the MDIP will be required to work within the CTIA’s existing web structure and internet presence. Is that a branding requirement or some form of technical integration – can you clarify.Answer: CTIA has an existing web presence. The MDIP provider will be required to work within the existing web design technical framework.
  14. What marketing will CTIA place behind the launch and on-going promotion of the portals? What budget will be set aside for this? Will the provider have any input into any marketing and educational programs?Answer: Yes, the provider will have input to marketing and educational programs, and recommendations for such are encouraged in the RFP response.
  15. Is the advertising of commercial enterprises on the site an acceptable form of revenue generation?Answer: As outlined in the RFP, the item is open for discussion and consideration.
  16. Is "Blacklist" defined to include "that collection of data shared by major networks who have chosen to comply with the CTIA Voluntary commitment?"Answer: It is the collection of data provided by network operators and housed in datasources such as the GSMA database.
  17. Does "Blacklist" exclude records that do concern stolen devices but are not included in the data exchanged with other networks?Answer: Same answer as above.
  18. If the proposer has access to and ownership of other data sets that will enhance the MDIP offering and provide value in crime reduction will the CTIA encourage or discourage the use of this data in the MDIP?Answer: Yes, CTIA will encourage and welcome Vendors to leverage existing relationships and develop innovative approaches to provide increased access to other data sets.
  19. Section 2 This indicates that the MDIP will not host a duplicate copy of any database or information. It is then recognized further in the report that some form of “status change monitoring” would be of value to users and something that could help raise funds and effectively fund the portal and its operation. However, effective status change monitoring requires regular (at least daily) alerts to be effective. Without copy data based on 1m new checks per day (as per 3.7.2) this would require the portal generating 31 million additional status checks per day for 31-day status change monitoring. Have the implications of this level of volume been considered?Answer: The MDIP vendor proposal should address new and innovative ways to address the requirements in the RFP. If a particular requirement cannot be satisfied, then the response should clearly state non-compliance and offer a rationale.
  20. Will CTIA be compelling data providers to provide support for consumer, trade and LEA inquiries as to data quality? For example, consumer’s phone appears blocked according to MDIP but their network says it is not blocked and in fact it does function. This prevents them selling their phone perhaps. (From experience this happens and escalation routes with data providers are of paramount importance).Answer: This question is outside the scope of the RFP and CTIA is not in a position to compel data providers. Nonetheless, the MDIP metrics may be useful tools for ongoing industry process improvement.
  21. Section 2.2.3 refers to usage agreements for use of the MDIP by Law Enforcement users. Does the CTIA have any guidance on those usage agreements or will the provider be left to agree and negotiate these?Answer: These agreements have to do with the provisioning of access credentials, number of users and overall volume. CTIA will have input into the legal terms and conditions that Law Enforcement users must sign prior to accessing the MDIP.
  22. 17. Are there any specific legal or data protection issues why Consumers will not be required to establish an account or provide personal information to perform a check? If so could you provide details? If not can you explain the rationale?Answer: Consumers are not required to establish an account or provide personal information. It is a general service available to consumers in the US, limited only by a cap on the number of queries per user per 24-hour period.
  23. Why will consumer access be restricted to US- based consumers when it is acknowledged that many phones stolen in the US are taken overseas and sold there? (These devices often still find their way back into the US through various routes.)Answer: The rationale is based on priority of the service for US consumers, the ability to size the solution from a capacity perspective and the FCC TAC reports as referenced in the RFP.
  24. Section 3.4.1 first two bullet points are 'Account management' and 'Account Administration view' respectively. What functions does CTIA consider be classified as Account management vs Account Administration?Answer: Account Management is the ability for a specific user to manage their unique account while Account Administration includes functions used to manage a group of users associated with an administrative role.
  25. 20. Figs 3.2 and 3.3 refer to “Blacklisted” and “Not Blacklisted”. However, elsewhere there is a clear indication that future data sources other than what is today commonly known as “Blacklist” will be referenced by MDIP. Therefore, should there be a requirement to qualify the data source to provide context to the MDIP user? For example, today there are a great many (tens of millions) of stolen MEIDs that the accepted industry standard blacklist has no awareness of. These records may be available to MDIP. How should they be indicated to the MDIP user?”Answer: Yes, in the event of multiple data sources, there is the need to provide context. The MDIP aggregates data from existing datasources and presents the data in an easy to understand fashion to the user. The RFP defines Device Blacklist Source Databases as it relates to Phase 1. Phase 2 defines connectivity to anti-theft status databases.
  26. Is the intention of 3.4.2(1)(b) to assert that an MEID is equivalent to an IMEI without a check digit (an assertion we would also question)? Or is it a request that the MDIP query input should accept an MEID in decimal form OR an IMEI without a check digit.Answer: MEID in decimal or hexadecimal format, without the check digit. IMEI in standard format.
  27. In 3.4.3.1 et al a standard format for the device identifier is mentioned. Is this simply the entered version (whether decimal or hex) with invalid characters removed? If not, what documentation defines standard representation for device ID (as devices themselves use a variety of display formats)?Answer: Yes, it is the entered version (whether decimal or hex) with invalid characters removed.
  28. 3.4.3.2(2) refers to manufacturer and marketing name. This information is currently sold by the GSMA to interested parties. On what terms will it be made available to MDIP? Or does this need to be separately negotiated with the GSMA?Answer: The information may be provided if available from the datasource. It is up to the MDIP provider to assess the availability of individual datasources.
  29. Should the bulk query response CSV file required in 3.4.3.4(2) contain additional columns providing the same information as required by 3.4.3.2(2 to 6) and 3.4.3.3 (2 to 7) respectively?Answer: Yes, it may.
  30. This line of the law enforcement response in Section 3.4.3.3 (5) refers to the “country and operator responsible for each blacklist…” Is it expected that the proposer has access to blacklist data beyond the US?Answer: It depends on the data source, in some cases the “country” information may be available
  31. Does ‘Device Blacklist Source Database(s)’ in 3.5.2 refer to the API available from GSMA or the information direct from Operators that is fed to the GSMA? Or multiple unnamed sources as implied by the (s)?Answer: As stated in the RFP, there may be one or more data sources, the GSMA database is an example for how a datasource adaptor may applied.
  32. Depending on the responses to the question directly above what will be the costs of provision by the GSMA or by the operators? What will the term and other conditions of supply be?Answer: It is up to the MDIP provider to assess the availability of individual datasources.
  33. 3.6.1(1) ‘easy to create and inspect’. This is a subjective definition based on the skills and experience of the Administrator. Can you confirm that the Administrator referred to is that subsequently defined in 3.10(2) and can therefore be assumed to operate with the same skills as the MDIP provider?“Answer: Yes, that is correct
  34. Regarding Section 3.7.1(2) what is the maximum time the ‘processing request’ message should be present for before the request is abandoned and the unavailable message given to the user”?Answer: It is up to the MDIP provider to determine the appropriate time leading to an abandoned request and proper notification to the user. Such time periods should be specifically stated in the RFP response.
  35. Section 3.7.2 states 50 queries per second an average of 1 million per day. With 86,400 seconds in 24 hours, 50 queries/second equates to 4.3m queries per day. Is the requirement actually 1 million over a portion of a day or 50 per second?Answer: The RFP states a peak of 50 queries per second and an average of 1 million queries per day.
  36. How has the query rate and anticipated traffic level been arrived at?Answer: Based on estimated traffic for the US market.
  37. For Section 3.7.2, can the source data be used to inform this traffic level distinguish between consumer and trade use? Trade use has a very different profile to consumer and has the potential to impact consumer experience if not considered well.Answer: Yes
  38. Section 3.4.4.1(1) refers to "If you already received the device" presenting part of the protecting yourself from fraud content. Has this content been prepared already? If so, where can we find it? If not, what is the desired advice (with some legal merit) on what to do if you discover through use of MDIP that the device you now have in your possession is stolen? Assuming you cannot return it for a refund to the seller as they have moved on, what should you do with it?Answer: CTIA will develop such content and make it available.
  39. For Section 3.11.1(1), will source database providers be expected to adhere to any SLA? Will source database providers be required to provide escalation contacts for MDIP to advise of service outage and receive regular updates?Answer: Yes, source database providers should be expected to adhere to an SLA. Yes, source database providers should be required to provide escalation contacts.
  40. For Section 3.11.1(5), other than traffic that triggers the maximum request count limits, what would constitute an unusual traffic pattern? If such an unusual traffic pattern is detected, should there be a permanent cessation of service to the offending account holder or IP address?Answer: The MDIP vendor should provide recommendations as to proper handling of such events as for example a Distributed-Denial-of-Service attack on the MDIP e.g. overloading the number of requests to the MDIP from a set of IP addresses.
  41. For Section 3.14.1(4), latency will be a factor of the number of external source databases as each call will, irrespective of external latency consume time in the MDIP process. How many external data sources are expected to be supported within this 1 second MDIP process latency?Answer: The MDIP vendor should define or recommend limitations on the number of external data sources in order to meet the latency requirement.
  42. For Section 3.16.1, does “other data sources” mean the activation link providers referred to elsewhere or other data about stolen devices that is not included in the “blacklist” (assuming the definition is as we suspect that list arising as a result of the CTIA voluntary commitment). For example, should it include devices reported stolen to insurers and police that are not also reported stolen to operators?Answer: As outlined in Figure 2-1, the Device Blacklist Source Databases must reflect information reported to operators about devices that are lost or stolen. “Other data sources” may reflect information beyond that reported to the Operator as described for Phase 2.
  43. For Section 3.16.2., every computer program is extensible through reprogramming so this is a very broad requirement point. As additional status information becomes available and changes to the output of MDIP are required, are CTIA required to approve proposed output changes through a change control process?Answer: Yes
  44. For Section 3.16.3(1) As there is no meaningful way of determining a consumer from a commercial user other than by inference based on volume, is it acceptable to achieve this provision by suggesting to consumers that if they want more checks then they need to register as a commercial user? If not, and assuming that there is an intention to charge commercial users, how are we to distinguish between a modest volume commercial user (gaining free use implied by 3.16.3(1) and the consumer who is happy to provide the details mentioned in return for a higher number of checks?Answer: Commercial users are expected to use access credentials to access the MDIP, not unlike Law Enforcement. Consumers are not required to use access credentials, unless they volunteer requested data, e.g. email address or mobile phone number for a larger number of queries. Nonetheless, the login profile information is different, e.g. password requirement in the case of commercial or law enforcement users.
  45. Where does the intellectual property for MDIP reside?Answer: The vendor proposal is expected to provide a recommendation in response to Section 16.2 “Vendor Statement of Asset Treatment.”
  46. Does CTIA “own” MDIP when delivered?Answer: Same answer as above.
  47. Is there a finite time the successful proposer will be expected to run the system?Answer: The vendor is expected to run the MDIP system under CTIA’s direction. The vendor may provide recommendations as to contract duration.
  48. If a future award is made to another party will the other party have to rebuild or are they expected to take over existing infrastructure (which then presents off-boarding costs that must be considered as well as capital costs to be recovered in the event of cessation)?Answer: The vendor response in Section 7 should address a comprehensive business plan and may include transition costs.
  49. Does CTIA expect to receive income from the proposal or simply to allow the proposer to generate enough revenue to recover its costs?Answer: The MDIP will be operated on a strict cost-recovery basis.
  50. If cost recovery is the goal, does that prohibit profit for the proposer?Answer: The vendor response should include a comprehensive business plan.
  51. Section 2.1.2 Source Database Adaptors - can any more information be shared regarding the holders of the source databases (i.e. carriers, retailers, trade organizations, etc.)? Should we assume that the portal will only have mechanized interfaces? Is there an expectation that FTP or manual processes will be used as well? Should we assume that all interfaces will be real-time, and that no off-line / batch processing is required? What types protocols/interfaces do these sites provide (e.g. SOAP, REST)? Answer: The Vendor is expected to recommend the appropriate source databases and corresponding interface protocols, associated methods and procedures to meet the overall requirements in the RFP.
  52. Section 2.1.3 Business Logic - Are there business rules for handling discrepancies in device status? For example, clear rules to define the behavior if the portal queries multiple sources and receives conflicting information on the status of a device? Are there business rules to handle duplicate device id’s?Answer: Consistent with the above, the Vendor is expected to aggregate information from the source databases and present the information in response to a query. The MDIP is not to duplicate existing databases, nor interpret or modify the results provided the source databases. The Vendor is not making judgment calls on conflicting information.
  53. Section 3.11.2 Data Collection - Reporting characteristics includes responses by carrier and device type. Can you clarify the relationship between these attributes and the requirements in sections 3.4.3.1 and 3.4.3.2.Answer: Section 3.4.3.1 is the Consumer response and 3.4.3.2 is the Commercial Entity response. The Commercial Entity response contains the same information as the consumer response with added information as outlined in the RFP.
  54. General Questions: Should vendors plan to bear any responsibility for accuracy of the data received from the various databases, or the completeness of the total available data (i.e. any enforcement of participation by carriers or retailers)?Answer: The Vendor is expected to aggregate information from the source databases and present the information in response to a query. The MDIP is not to duplicate existing databases, nor interpret or modify the results.
  55. Is ongoing communication, data scrubbing, or further information exchange with holders of the source databases part of current or future requirements planning?Answer: The Vendor is expected to provide recommendations for further information exchange consistent with the proposed source databases.
  56. How will operational questions and data specific customer inquiries be handled? Are vendors expected to answer customer and carrier questions, or will these be referred to CTIA?Answer: The vendor is expected to provide recommendations for help desk support as outlined in the RFP.
  57. Assuming the winning vendor will host the platform as well as provide software, is a cloud-based solution acceptable?Answer: Yes, so long as reliability, privacy and security requirements are satisfied.
  58. Would 100mm records be an appropriate initial sizing for the MIDP database?Answer: The MDIP is a portal that aggregates information from existing datasources. Sizing of the MDIP should be based on the RFP requirements and the vendors design criteria that satisfies the requirements.
  59. The RFP makes reference to connecting to external datasources in the future, could you share examples or thoughts around which types of datasources or services this could apply to?Answer: The RFP describes a phased approach to connecting to external datasources. An example of one such datasource is the GSMA database, other examples may include OEM and OS Provider datasources.
  60. The Anti-theft services, could we get more clarity on these? Is this referring to risk scoring services that query the MDIP for validation? Or are there uses or services that the MDIP would make use of? Are there examples of these offerings (e.g. just links to those offered by third-party companies?)Answer: There are a number of industry provided anti-theft tools and more information is available at http://www.ctia.org/policy-initiatives/voluntary-guidelines/smartphone-anti-theft-voluntary-commitment.
  61. On the bottom of page 6 there is this passage: See Section 2.2 Use Cases and Section Error! Reference source not found it appears that a section was cut off, or a reference missing. Is there a Use Case section for 2.2?Answer: All the use cases are listed in Section 2.2, the second Section reference should have been deleted.
  62. Will the vendor take on primary outreach and on boarding of Law Enforcement Agencies (LEA) or will CTIA?Answer: CTIA will be responsible for outreach, the vendor will be responsible for providing credentials to approved law enforcement entities as outlined in the RFP.
  63. Would all LEA’s onboard near-simultaneously, or is a phased launch envisioned? Regionally? or by Agency Level? (City, County, State, Federal)Answer: The on-boarding will vary by agency and geography.
  64. Is connecting to the GSMA database a launch or near-term requirement or desire? If so, are there available integration documents or a contact there with whom we can connect?Answer: The vendor is expected to provide recommendations as to the appropriate Blacklist datasources.
  65. Our response will be inserted inline in the original document, however, as the original doc is almost 40 pages in length, our additions will bring over the 40 pages submission. Removing sections or text to reduce the size may make it harder to read. Please advise how we can format the response to comply with the size limit.Answer: Vendors are expected to follow the instructions outlined in the RFP, and in particular the outline shown in Appendix A titled Proposal Structure. The response page limit remains 40 pages as specified in the RFP.
  66. RFP section 1.4 states that “Past performance should be divided into a generic portion that covers as much as possible without identifying the Vendor and a Vendor-revealing portion that can be withheld from the initial evaluators”. Annex A, section 3.1 states that “The past performance section should contain a short section that covers information that may easily identify the Vendor and can be used to verify past performance.” Can you confirm if two sections are required, and if one should be anonymous?Answer: The sections specific to the identity of the vendor are Section 3.1 titled “Vendor Identifying Qualifications”, and Section 2 titled “Company Overview”.
  67. Section 1.4 suggests that bids will be evaluated blind by the initial evaluators. Which sections of the bids will be provided to the initial evaluators? Answer: All of the Sections outlined in Appendix A of the RFP will be provided to the initial evaluators with the exception of Sections 2 and 3.1.
  68. Will any information in a bid be deleted or obfuscated to hide the bidder’s identity when passing that information to the initial evaluators? How will this be achieved?Answer: Each submission is expected to comply with the RFP instructions. Submissions that fail to comply will be addressed by CTIA staff on a case-by-case basis.
  69. Please name the organisations performing the initial evaluation?Answer: The RFP states that the evaluators are familiar with the MDIP requirements and the wireless industry. The evaluators will be comprised of carrier representatives and CTIA staff. With the exception of CTIA, the organizations participating in the evaluation will not be disclosed.
  70. Please name the organisations who will be present at the bid presentations?Answer: With the exception of CTIA, the organizations participating will not be disclosed in advance of the bid presentations.
  71. What impact does the initial evaluation have on the final evaluation?Answer: The initial evaluation will result in the selection of vendors invited to make in-person presentations to the panel of evaluators.

Return to main page.