Not long after Microsoft defended how it accessed a blogger's private Hotmail account to determine if a former employee stole trade secrets, there was an outcry over the privacy implications.

Now, Microsoft is making a change to its privacy policy that would require its legal team — not its internal investigations department — to look into cases to see if a court order is required to access private user data. The company would submit the evidence to an outside lawyer and perform the search only if a judge signs off on it. Microsoft will also publish a bi-annual transparency report that will highlight these types of searches.

Earlier this week, reports circulated that former Microsoft staffer Alex Kibkalo is facing federal criminal chargers over allegations that he stole trade secrets during his tenure at the company. The indictment states Kibkalo "uploaded proprietary software and pre-release software updates for Windows 8 RT as well as the Microsoft Activation Server Software Development Kit (SDK)" to his personal SkyDrive (now OneDrive) account in August 2012.

In 2012, a French blogger tipped off Microsoft that he received a code from the Microsoft Server SDK, which had originally come from a Hotmail user and meant Microsoft could access his account without a court order. This was legal because a statement in Microsoft's terms of service allowed the action to take place if it was to protect the security of its customers. Eventually, the move led to an investigation where, according to court documents, Kibkalo was identified as the source and admitted leaking Microsoft code to outsiders.

In a statement to Mashable, Microsoft defended its action when it came to accessing the blogger's data, saying it was done to "protect our customers and the security and integrity of our products."

Microsoft VP and Deputy General Counsel John Frank also shed more light on the updates related to its privacy policies:

We believe that Outlook and Hotmail email are and should be private. Today there has been coverage about a particular case. While we took extraordinary actions in this case based on the specific circumstances and our concerns about product integrity that would impact our customers, we want to provide additional context regarding how we approach these issues generally and how we are evolving our policies.

Courts do not issue orders authorizing someone to search themselves, since obviously no such order is needed. So even when we believe we have probable cause, it’s not feasible to ask a court to order us to search ourselves. However, even we should not conduct a search of our own email and other customer services unless the circumstances would justify a court order, if one were available. In order to build on our current practices and provide assurances for the future, we will follow the following policies going forward:

To ensure we comply with the standards applicable to obtaining a court order, we will rely in the first instance on a legal team separate from the internal investigating team to assess the evidence. We will move forward only if that team concludes there is evidence of a crime that would be sufficient to justify a court order, if one were applicable. As an additional step, as we go forward, we will then submit this evidence to an outside attorney who is a former federal judge. We will conduct such a search only if this former judge similarly concludes that there is evidence sufficient for a court order.
Even when such a search takes place, it is important that it be confined to the matter under investigation and not search for other information. We therefore will continue to ensure that the search itself is conducted in a proper manner, with supervision by counsel for this purpose.

Finally, we believe it is appropriate to ensure transparency of these types of searches, just as it is for searches that are conducted in response to governmental or court orders. We therefore will publish as part of our bi-annual transparency report the data on the number of these searches that have been conducted and the number of customer accounts that have been affected.

The only exception to these steps will be for internal investigations of Microsoft employees who we find in the course of a company investigation are using their personal accounts for Microsoft business. And in these cases, the review will be confined to the subject matter of the investigation.

The privacy of our customers is incredibly important to us, and while we believe our actions in this particular case were appropriate given the specific circumstances, we want to be clear about how we will handle similar situations going forward. That is why we are building on our current practices and adding to them to further strengthen our processes and increase transparency.

John Frank, Vice President & Deputy General Counsel

Christina Warren contributed to this report