Security protections have been tightened at many of the major online services, as firms like Google and Microsoft pledge to protect their users against unwanted prying eyes. But while many people fret about unwarranted government access to their data, the Internet firms themselves play by their own set of rules.

Some of the heat directed lately at the U.S. National Security Agency was focused this week on Microsoft instead. On Wednesday, Microsoft revealed that it had taken a peek at a French blogger's personal Hotmail emails as part of a company investigation into trade-secret leaks.

Microsoft said it had a right to do so, because its policies allow it to search personal emails to protect its intellectual property. In this case, a former Microsoft employee allegedly leaked Windows RT updates to the blogger via email. Microsoft's terms of service state that it's forbidden to use the company's services to upload or otherwise make available files that contain software or other material protected by intellectual property laws.

"Microsoft reserves the right to review materials posted to the Communication Services and to remove any materials in its sole discretion," the company says in its terms of use.

Microsoft responded to the criticism by pledging to update its procedures to make them more "transparent." In the future, it said, a separate legal team at Microsoft will review any evidence and proceed "only if that team concludes there is evidence of a crime that would be sufficient to justify a court order, if one were applicable." It will then submit the evidence to an outside attorney -- a former federal judge -- and conduct a search only if that person agrees with its conclusions.

But Microsoft's explanation of why it needs to pursue this route is itself telling. "Courts do not issue orders authorizing someone to search themselves, since obviously no such order is needed," it explained. "So even when we believe we have probable cause, it's not feasible to ask a court to order us to search ourselves."

In other words, there are no laws preventing Microsoft from looking at the data in its own services, so only Microsoft can decide when it's appropriate.

It's not alone in this. Other companies including Google and Yahoo have similar language in their terms of service.

There are at least two class-action lawsuits looking at the way Google's automated systems scan emails for advertising and other purposes. One of the suits accuses Google of crossing a "creepy line" by scanning the data of Apps for Education users to build profiles that could be used for marketing, according to a report this week in Education Week.