This service is supposed to help protect against man-in-the-middle attacks on SSL certs signed with trusted Root CAs. But it can't protect if the man-in-the-middle attack is against the service itself. In other words, if the trusted Root CAs are giving away signing keys to state agencies, there is no protection for anyone against MITM. With this situation, how can SSL certs be considered secure at all?