In the case where providers/servers are under NSA jurisdiction (or control, in the case of them hacking servers) -- they could also keep a copy of session keys.
But that would force them to intercept at many more points than simply various edge routers (which is what they may or may not be doing now, having (or not having) equipment at ISPs/TelCos).
Essentially, if you use gmail or outlook.com -- you'll just have to trust that no one has forced (or covertly) installed backdoored crypto libraries. I do think it is very likely security agencies (both foreign and domestic) have agents/assets working at large companies like Google and Microsoft -- I don't think it is very likely that they have been able to covertly subvert their infrastructure. But it certainly is possible.
They don't need to do that much. If they control a CA and a few ISPs (especially networks to the outside of the US, since apparently us in the rest of the world are fair game), they can MITM anyone reliably. The only defence is checking fingerprints, but few will bother.
But that would force them to intercept at many more points than simply various edge routers (which is what they may or may not be doing now, having (or not having) equipment at ISPs/TelCos).
Essentially, if you use gmail or outlook.com -- you'll just have to trust that no one has forced (or covertly) installed backdoored crypto libraries. I do think it is very likely security agencies (both foreign and domestic) have agents/assets working at large companies like Google and Microsoft -- I don't think it is very likely that they have been able to covertly subvert their infrastructure. But it certainly is possible.