Say you have a user U who wishes to demonstrate to site S that they are at least 16, and we have a site G that already has a copy of U's government ID information.

Here's one way to do it, with an important security measure omitted for now for simplicity.

• S gives U a token.

• U gives G that token and shows G their ID.

• G verifies that U is at least 16, and then signs the token with a key that they only use for "over 16" age verifications. The signed token is given back to U.

• U gives the signed token back to S.

If G saves a list of tokens it signs and who it signed them for, and S saves a list of tokens it issues and what accounts it issued them for, then someone who gets both of those lists could look for tokens that appear on both in order to match up S accounts with real IDs.

To prevent that we have to make an adjustment. G has to sign the token using a blind signature. A blind signature is similar to a normal digital signature, except the the signer does not see the thing they are signing. All they see is an encrypted copy of the thing.

With that change a breach of G just reveals that you had your age verified and gives the encrypted token associated with that verification. These no longer match what is in the records of the sites you proved your age to since they only have the non-encrypted tokens.

Someone with both breaches might be able to match up timestamps, so even though they can't match the tokens from S directly with the encrypted tokens from G they might note that you had your age verified at time T, and so infer that you might be the owner of one of the S accounts that had a token created before T and returned after T.

This would be something people trying to stay anonymous would have to be careful with. Don't go through the full signup as fast as possible--wait a while before getting the token signed, and wait a while before returning the signed token. Then someone who is looking at a particular anonymous S account will have a much larger list of items in the G breach that have a consistent timestamp.

Also note that to G it is just being asked to sign opaque blobs. Occasionally have G sign random blobs. If your G data shows that you are getting your age verified a few times a month, then it is even more likely that if one of those verifies is at about the same time as a particular social media signup it is just a coincidence.