Briefly, your government issues you a digital signed copy of a document, such as a driver's license or passport, that gets bound to a hardware security element that you own. In current implementations these are the secure elements of smart phones, but there is no reason that standalone hardware security elements could not be supported.
When you want to provide information from that document to a third party a protocol is used which allows you to demonstrate to the third party that (1) you have a document from the government bound to your hardware security device, (2) you have unlocked the hardware security device, (3) and the document says what you say it says (e.g., "the birthdate field in this document contains a value that is more than 18 years in the past").
This third party gets no additional information about the contents of your document. The protocol takes place entirely between your device and the third party, so the government that issued you the bound document has no idea when or if you use it.
Someone over 18 person could indeed decide to help others prove age, but they would either have to do it in person or be willing to loan their unlocked security element to those others.
> Someone over 18 person could indeed decide to help others prove age, but they would either have to do it in person or be willing to loan their unlocked security element to those others.
You can still automate age-verification-as-a-service using a physical autoclicker on a smartphone with the camera oriented at a screen showing QR codes. I expect this to happen, and for that reason I also expect true anonymity to be something that will last a year or so until it will be politically decided to fix the issue using some central party that verifiers have to contact to impose rate limiting.
TPM can solve the "neither side gets info about who you are or where it's used" part, but it seems like that might mean any TPM leak also means a single token can be used infinitely without detection, yea? Otherwise it's uniquely identifying, which wouldn't be even slightly private.