For the average webmaster, having Google switch to TLS has made tracking somewhat more difficult. The problem of course lies in that the referral connection was encrypted and so you can no longer just 'see' it as was the case years ago. That being said, tracking in not impossible. For instance the average webmaster can use services that essentially embed tracking cookies on many subscribed sites (Google themselves do this). Google only gives you analytic data to your site but it still collects all of this data (we will touch on that later).
Hypothetically, you could also create your own tracker that simply embeds a bit of code on every website that stores the user's info -however, this is obviously infeasible and also not needed (although Google and others do try)!
If you are a law enforcement agency, intelligence agency (GCHQ), or hacker, you potentially have access to the conduit that all of this traffic flows through (via court orders or exploits) and what's more is that you likely have access to the TLS certificates themselves (via court orders or exploits as well).
Obviously, there are legal and moral issues surrounding all of this but the technical rationale for how traffic can be monitored is sound. In regards to your GCHQ example (I didnt follow the link because I am at work and it contains the word 'porn' -can't have them tracking me now), the agency most likely had a subpena to access the information (if they 'hacked' the info, it would be poor OPSEC to disclose such a feat). Considering that the top 5 CAs are based in either the UK or US, this is not much of a stretch to assume. For example From a ToS at section 8.3:
Comodo will disclose information where required by a subpoena, interception order or other lawful process.
If anyone can add some examples and references, that would be great. I tried to make this more than just conjecture but we will see how it is received.
