[kniht]

TLS client authentication allows the server to detect when an active MITM attempts to get into the connection[1]. This means that if you hold the theory that the NSA is acting as a MITM with Google's private keys, you also have to assume that they know they'll be detected the second anyone tries to use a client certificate to connect.

[1] http://security.stackexchange.com/questions/26142/do-client-...

[sneak]

If you have the key from the server, and it's not using a cipher suite that supports forward secrecy, then you do not need to actively MITM to decrypt the traffic. All you need is the long term key and the intercepts. You can then decrypt the session key from the initial connection setup.

This is why the DHE/EDH modes exist. It uses DH to agree on a session key, then uses the long term key just to ensure the DH agreement hasn't been actively mitm'd. The session key is never transmitted or permanently stored, so once the connection cache expires, nobody can decrypt retroactively, not even the parties to the conversation.