Read the spec, but in a nutshell you only report your tokens if you test positive. Then other people check to see if they have seen any reported tokens using a clever algorithm that doesn't involve them reporting all the tokens they have seen.
The central authority just has a list of tokens from infected people. A corrupt central authority could also massively deploy token recorders across an area and then see when and where the infected people were seen, but governments already have that capability just from the cellular systems.
The central authority just has a list of tokens from infected people. A corrupt central authority could also massively deploy token recorders across an area and then see when and where the infected people were seen, but governments already have that capability just from the cellular systems.