3. Not allow someone who gets both (1) a log of authentication provider transactions, including timestamps, who was being verified, and whatever output the provider generated, and (2) a log of the website's age checks including timestamps, website accounts, and whatever proof was provided to match them up to associate real IDs from the authentication provider with website account IDs.
To make this work I think any such system will need to be so widely used that there are hundreds or thousands of verifications happening every second at each authentication provider and typical users get verified many times a day, and there should probably be some random delays introduced by the user's computer.
Otherwise it could be too easy to unmask people by looking at verification timing. If you are trying to unmask a user who verified through provider P and P only did a verification for one person that day it is very likely that is the person you are trying to unmask.
At this point, I can't even imagine a return to normal governing, let alone good governing. Like imposing enormous fines for ISPs selling user traffic data for packet analysis, to sell name-associated web traffic data to any company or foreign power even when the user is behind a VPN.
It should be assumed (for the purpose of evaluating if a system is actually secure) that they both are, and are working together.
Validation can be done cryptographically so that assertions (like age) can be verified by one party, and consumed by another party, without either of those parties being able to tie the combination together, even if they are actively cooperating.
3. Not allow someone who gets both (1) a log of authentication provider transactions, including timestamps, who was being verified, and whatever output the provider generated, and (2) a log of the website's age checks including timestamps, website accounts, and whatever proof was provided to match them up to associate real IDs from the authentication provider with website account IDs.
To make this work I think any such system will need to be so widely used that there are hundreds or thousands of verifications happening every second at each authentication provider and typical users get verified many times a day, and there should probably be some random delays introduced by the user's computer.
Otherwise it could be too easy to unmask people by looking at verification timing. If you are trying to unmask a user who verified through provider P and P only did a verification for one person that day it is very likely that is the person you are trying to unmask.