They aren't. The tag generates and broadcasts a public key that is rotated every 15 minutes. A nearby "finder" device receives a broadcast, encrypts its location with the received key and sends it with a hash of the public key to Apple's anonymous location directory. The owner (who keeps the same key pair rotation algorithm running from the same seed key) can look up a bunch of key hashes for a range of 15-minute intervals and then fetch and decrypt location payloads. No device or account IDs are transmitted in the process.