Comment by AnthonyMouse
5 hours ago
A cursory look implies they're using group signatures:
https://en.wikipedia.org/wiki/Group_signature
Which allow the group manager (presumably the government, or anyone who compromises them) to identify who signed something.
If using the same card multiple times with the same site allows the site to correlate them then that obviously also allows the site to link two accounts you intended to be separate, or two sites to set themselves up as the same "vendor" and thereby correlate your accounts between them.
ZKPs are mentioned in the technical specs but no implementation yet. Would go for lack of standardisation / lack of harware support for these protocols as the explanation but who knows..