[1] Because contact logs are never transmitted to third parties, it has major privacy benefits over the PEPP-PT approach;[8][9] however, this comes at the cost of requiring more computing power on the client side to process infection reports.

[10] The Apple/Google Exposure Notification project is based on similar principles as the DP-3T protocol, and supports a variant of it since May 2020.

[14] The DP-3T SDK and calibration apps intend to support the Apple/Google API as soon as it is released to iOS and Android devices.

[17] On the 22 April 2020, the Austrian Red Cross, leading on the national digital contact tracing app, announced its migration to the approach of DP-3T.

[20] In Germany, a national app is being built upon DP-3T by SAP SE and Deutsche Telekom alongside CISPA, one of the organisations that authored the protocol.

[21] As of September 30, 2020, contact tracing apps using DP-3T are available in Austria, Belgium, Croatia, Germany, Ireland, Italy, the Netherlands, Portugal and Switzerland.

[22] The DP-3T protocol works off the basis of Ephemeral IDs (EphID), semi-random rotating strings that uniquely identify clients.

[23] When two clients encounter each other, they exchange EphIDs and store them locally in a contact log.

If a matching EphID is found, then the user has come in close contact with an infected patient, and is warned by the client.

This is in contrast to competing protocols like PEPP-PT, where the central reporting server receives and processes client contact logs.

These EphIDs are logged locally on a receiving client's device and are never transmitted to third parties.

At the beginning of the day, a client generates a local list of size

To prevent malicious third parties from establishing patterns of movement by tracing static identifiers over a large area, EphIDs are rotated frequently.

This stream is then split into 16-byte chunks and randomly sorted to obtain the EphIDs of the day.

[1] The DP-3T protocol is made up of two separate responsibilities, tracking and logging close range encounters with other users (device handshake), and the reporting of those encounters such that other clients can determine if they have been in contact with an infected patient (infection reporting).

The two devices then store the encounter in their respective contact logs in addition to a coarse timestamp and signal strength.

The health authority additionally instructs the patient on which day their report should begin (denoted as

, which they then check against their local contact log to determine whether the user has been in close proximity to an infected patient.

11 When a user installs a DP-3T app, they are asked if they want to opt in to sharing data with epidemiologists.

Regions are large areas directly corresponding to health authority jurisdiction; the exact location is not recorded.

Specifically, sick and reported people may be deanonymized, private encounters may be revealed, and people may be coerced to reveal the private data they collect.Vaudenay's work presents several attacks against DP-3T and similar systems.

In response, the DP-3T group claim that out of twelve risks Vaudenay presents, eight are also present in centralized systems, three do not work, and one, which involves physical access to the phone, works but can be mitigated.

Contrarily, centralized systems offer many countermeasures, by accounting and auditing.In the same work[30] Vaudenay advocates that, since neither the centralized nor the decentralized approaches offer sufficient level of privacy protection, different solutions should be explored, in particular suggesting the ConTra Corona,[31] Epione[32] and Pronto-C2[33] systems as a "third way".

Tang[34] surveys the major digital contact tracing systems and shows that DP-3T is subject to what he calls "targeted identification attacks".

Theoretical attacks on DP-3T have been simulated[35] showing that persistent tracking of users of the first version of the DP-3T system who have voluntarily uploaded their identifiers can be made easy to any 3rd party who can install a large fleet of Bluetooth Low Energy devices.