Finally dug into "How Fictitious Clicks Appear In Third-Party Click Fraud Audit Reports", a report released on 8 August by Google's Click Quality Team. The report was panned by many at SES and across the search blogosphere as a weak attempt by Google to allay advertiser's fears. I have a different take on the report.
Google wasn't attacking those concerned about fraudulent clicks. Google was attacking firms using weak methodologies to estimate fraud. Google's engineers point out severe limitations in three common third-party click monitoring tools. For example, according to Google, ClickFacts doesn't handle page reloads correctly, and produces squirrelly reports: every click is timestamped as coming through at 2 minutes past the hour. (xx:02:xx AM/PM) Click Forensics and AdWatcher both report more fraudulent clicks than total clicks -- go figure. To me, reading Google's reasonable analysis was like watching someone shoot fish in a barrel: not all that difficult for the shooter, and decidedly unpleasant for the fish.
Click fraud, particularly across the content networks, is an important concern. (Even when assessing validity of any particular click may be impossible, as Tuzhilin points out.) The major engines have considerable legal and ethical responsibilities to their advertisers to minimize the problem. Advertisers should also expect reasonable transparency from the engines. And the engines should take a stand against deceptive-but-not-outright-illegal practices like MFA sites and domaining.
All that being said, the industry overall is not helped by less-than-rigorous approaches for assessing the scope of the problem.