Maybe Google’s motto all this time should have been “Don’t be creepy” instead of not being evil. Maybe that would have produced a different reality from the one presented in a new study from a Vanderbilt professor, released today, which shows that Google’s tracking of users is probably a lot worse and creepier than the average person likely releases.

For one thing, the study that was commissioned by the trade group Digital Content Next walks through “passive” data-collection done by Google often without the user’s knowledge. Such as when users switch to an incognito browsing session online, the results of which Google can retroactively link back to the users thanks to how deep its digital tentacles reach into the rest of that same user’s online experience.

“That’s not well understood by consumers,” Douglas Schmidt, the author of the study and a Vanderbilt professor of computer science, told the publication AdAge about those findings. “But if you read the fine print on ‘incognito’ mode it brings up a whole lot of disclaimers.”

Here’s how the incognito mode tracking works, in an AdAge recap of the study:

“A person fires up a private browser session in Chrome. On websites that run ads from Google’s online ad marketplace, anonymized cookies are dropped on the browsers associated with the user. If the same person leaves private browsing mode and logs into a Google service like Gmail or YouTube, the act of signing into Google makes it possible to connect the earlier web activity to the now identified user. (Unless, that is, the cookies expired or were manually deleted by the user.)”

Google is disputing that characterization. According to a spokeswoman, Google doesn’t “join signed-out activity with your Google account information.” However, the report — again, which Google is disputing — stresses that while some information “is typically collected without identifying a unique user, Google distinctively possesses the ability to utilize data collected from other sources to de-anonymize such a collection.”

Among other findings, meanwhile, if an iOS user decides to avoid using any Google product at all and visits only non-Google webpages — well, you can run but you can’t hide. The number of times data gets communicated back to Google’s servers in that scenario is still, per the study, “surprisingly high” and driven by advertiser and publisher services.

You can check out the full study here. At one point during the study, it walks through a typical “day in the life” experiment involving a real user with a new Google account and an Android phone with a new SIM card. She goes about her daily routine while Google collects data via everything from her location, routes taken, music she listen to, and more. “Surprisingly,” the study notes, “Google collected or inferred over two-thirds of the information through passive means.”

It continues: “Both Android and Chrome send data to Google even in the absence of any user interaction. Our experiments show that a dormant, stationary Android phone (with Chrome active in the background) communicated location information to Google 340 times during a 24-hour period, or at an average of 14 data communications per hour. In fact, location information constituted 35 percent of all the data samples sent to Google.”

About tracking location information — as a reminder, we reported yesterday that, following an Associated Press investigation, a San Diego man has filed a complaint against Google in federal court in San Francisco. It seeks class action status on behalf of Android and iPhone users who turned off the “Location History” feature on their phones, which the complaint says Google ignored by then spying on their movements anyway.

A Google spokesperson provided this statement about the study released today:

“This report is commissioned by a professional DC lobbyist group, and written by a witness for Oracle in their ongoing copyright litigation with Google. So, it’s no surprise that it contains wildly misleading information.”