In early 2017, a service called FaceApp received a wave of press for using artificial intelligence to transform pictures of faces, making them look older or younger, male or female, or adding a smile to appear happier. This week, FaceApp once again made headlines as celebrities, including the Jonas Brothers, Drake and Dwayne Wade, appeared to use the app to show what they might look like when they get much older. Enough people rushed to download the app and see their own selfies turn gray that FaceApp is currently the top free app in Apple’s App Store. By Wednesday morning, however, there were growing privacy concerns about the app. As one breathless headline in a New York tabloid put it: “Russians now own all your old photos.” The fears came from stitching together scary sounding but unfortunately not uncommon wording in the app’s terms of service with an unverified – and now deleted – claim from a developer on Twitter about the app “uploading all your photos” and the simple fact that the company is based in St. Petersburg, Russia. The FaceApp episode highlights how, after more than a year of high-profile privacy scandals in the tech industry, consumers still don’t adequately scrutinize services before handing over their sensitive personal data. At the same time, it’s a reminder of how little we understand how companies collect our information and what rights they have to it. Joshua Nozzi, the developer who first raised alarms about FaceApp, and other security researchers later knocked down the initial fear that FaceApp is covertly harvesting your entire smartphone camera roll. Likewise, the fact that a company is based in Russia doesn’t automatically mean it’s a tool of the Russian government. “Most images are deleted from our servers within 48 hours from the upload date,” the company said in a lengthy statement provided to TechCrunch addressing the privacy concerns. (Representatives for FaceApp did not immediately respond to our request for comment.) What remains concerning, however, is the language in the app’s terms of service. In one densely-worded section, the company informs users that they “grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you.” Translation: FaceApp can effectively do what it wants with your selfie. But this puts FaceApp in pretty good company. Other prominent tech companies have inserted similarly concerning language into terms of service over the years to assert their rights to use names, pictures and other content shared by users as they please. “If you share a photo on Facebook, you give us permission to store, copy, and share it with others,” Facebook says in its own terms of service. And yet, we keep sharing first and asking questions later, if we ask them at all. In between FaceApp’s first brush with virality and its explosion in popularity this week, there have been a number of tech privacy scandals, any one of which should arguably have been enough to make people at least reconsider how much information they share with tech companies. Data collected through a seemingly benign personality test on Facebook was provided to Cambridge Analytica, a controversial data firm that worked for Donald Trump’s presidential campaign. A popular period tracking app was found to be sharing data with Facebook. Amazon reportedly employs a global team to listen when you speak to its Echo smart speakers. But the moment we hear about a flashy new service that can make our selfies look older, or match them with a famous painting, we are quick to throw caution to the wind and hand over the photo of our face, without knowing for sure where it’s stored or what it may be used for. Tech companies certainly deserve criticism for their data privacy practices, but so do we.