bluetooth – How does the Apple/Google Exposure Notification system prevent infected users from being identified?

Under Apple and Google’s contact tracing scheme, Alice’s device generates a daily random value (termed a Temporary Exposure Key or TEK in the Cryptography Specification). Every 10 minutes, a Rolling Proximity Identifier (RPI) is generated from the TEK (by first hashing, and then encrypting with AES using the time as the key). When Alice and Bob meet, her device sends his device her current RPI.

The FAQ (p.3) states that

people who test positive are not identified by the system to other users, or to Apple or Google.

How is this accomplished? What prevents Bob from setting up a database of all the keys he receives, indexed by the name of the person, and then, when one of the keys appears on the server, referencing the database to find out who uploaded it?