Ad fraud is an adversarial game, and you can't 'solve' it with simple things like this. You'll temporarily cause a lot of pain for the bot operators (yay!) but then they'll adjust and start sending the traffic from botnets (hacked consumer devices). Which is already what they do when trying to defraud advertisers on networks that take fraud seriously (which it sounds like your company didn't).
(Disclosure: I used to work on ads at Google)
I'm not saying using a botnet is "hard", per se, but the difference in difficulty compared to using a hosting provider is significant. If bot operators are being forced to use botnets, I'd say the solution is working very well.
My botnet was specifically for the optimization of bounce rates, we kept away from any ads of any sort, and only navigated around the internal website through clicking relative links or absolute links with the same domain.
If you wanted lower bounce rates, you had to also run this on your PC, and kick over $50/mo. It was my favorite service I ever wrote even if it did help rank websites that naturally shouldn't have been ranked higher.
I worked for a company that basically gave me 80% time. 20% of my time was supporting the products we already launched, the other 80% was experimenting and coming up with new products.
I was blogging kind of regularly back then (once every week or so), on a subdomain without any actual backlinks other than from a few "no-index" and "no-follow" links on social media. So technically my website should not have been in the top page for any search term and I shouldn't have had ANY traffic, but it usually was #1 or #2 for various WordPress and jQuery related searches (I had a couple of jQuery plugins and wrote some php hacks that eventually took down millions of websites), and I got 10k monthly visitors on average.
So I started looking into WHY I was the top result of those queries, and it was because when someone landed on my site with that query, the bounce rate was only 10-30% compared to most other sources being 85-90% bounce. The exact technical meaning of a bounce is lost on me now, but it had to do with how long you stayed on the site without leaving or if you click on other internal links for the site.
So I proposed to the owner of the company, I would create a "Click Faker". It would go to google on your local PC, it would then search for a term you wanted to rank, then it would navigate the top 10 pages, if it found you, it would click your link, then spend 2-5 minutes navigating around your site before closing the window.
I first tried this with Selenium (or an equivalent back then), and Google blocked it almost immediately. So then I hacked together a headless version of chromium, with some standard but randomly generated user agent, and eventually expanded it to IE and Firefox as well.
And the marvelous thing is it WORKED! And surprisingly well. BUT you had to get your site in the top 100 results, and be running google AdSense before it would work. It also proved what we had long suspected that google would rank sites with Adsense higher than a website without (probably because of telemetry data they could gather).
The concept worked, we launched the product, and got a few dozen subscribers over the next month, BUT the demand just never materialized, and after 6 months we started seeing diminishing returns as google started captcha-ing our requests, and eventually it was no longer useful and we shuttered it.
Without a large enough network of consumer PCs on consumer internet, it was doomed to fail. The network needed to be around 1000 users before it would work. We even tried giving away free limited accounts (20 visits/day for free if you ran the script, and it stacked, so if you had 3 different PCs on 3 different ISPs - home/work/mom & dads house/etc - you would get 60 visits/day).
Ultimately, I think there wasn't enough education around it, and nothing we did marketing wise really helped.
Google says that they don't do that. I don't believe Google based on personal experience and it's interesting to see that you had some experimental confirmation.
It was very compelling results. Never did a GA ONLY site improve better than an AS only or an AS + GA.
Dumb question: how would google know you spent 2-5 minutes on that domain and navigated around it?
The article you cited mentions CRUX data, which comes from the Google Chrome browser, not Google Analytics. That data is reported to website users in the form of the Core Web Vitals report, which is a different product than Google's ranking algorithm. Although similar data is probably used as a ranking factor, you can't conclude that from this support documentation.
If ad-fraud goes from "We accidentally ran these 'indexing-bots' against some websites, causing some counters to be off. Sorry about that!" to "We deployed our code to run on stolen or hacked machines through botnets paid for in crypto on the dark web", you've moved from legally gray to clearly illegal.
I can see no down-sides with such a move.
People often don't recognize that they are in an adversarial situation, where taking a step that looks like it solves the problem does much less than you expect because other people will later counter your work.
If your qualifying definition of "solution" is "magic bullet" then there are no solutions. Every solution is a component in the perpetual fight.
1. Collaborative situations: your solution works better and better, because people notice and work with you. Ex: designing an icon or coining a word for a new concept; over time more and more people recognize it, use it, etc.
2. Indifferent situations: your solution continues working about the same, because it's not about interaction with others who adapt. Ex: enabling compression on HTML serving, inventing joist hangars, new cancer surgery technique. Most inventions and engineering is in this category.
3. Decay situations: your solution slowly stops working as well, because the world moves on. Ex: payroll software needs to be updated as payroll regulations change.
4. Adversarial situations: your solution quickly stops working well, because others are directly trying to counter your work. Ex: investing strategies, antibiotics, ad fraud, ad fraud detection.
When you're evaluating a solution based on how it seems like it would work in the current world, thinking about how collaborative-vs-adversarial the situation is helps you predict what the full rollout of your solution would look like.
I realise this probably comes of a little snarky but I've tried following your comments in good faith and it just seems like a very abstract hammer looking for a nail without really reading/listening to the quite literal/simple/not-very-abstract discussion being had here.
Then, in our subthread it seemed to me like you were saying that it being adversarial doesn't matter, and wins are always ephemeral ("every solution is a component in the perpetual fight"). I responded by explaining how this varies by situation, with some where wins compound (cooperative) but that the adversarial nature of ad fraud shortens the lifetime of wins dramatically compared to other domains.
-cuts their profits in half or more because they have to pay for the proxies(or if they own them they can't sell them since they need them)
-it prevents most low skilled people from doing it
-it prevents them from doing on it on an infinite scale, AWS have more than a 100 millions IPs, it's rare to see a grey market proxy provider with more than a few millions clean IPs, and it usually cost like 40 cents per IP, where it can be FREE on AWS
You add basic protection against headless browsers, behavioral analysis etc...And now 99% of the people who can fool you are already making 6 figures in legitimate jobs and won't risk 10 years of jail to earn just a bit more money.
There's no such thing as zero; a successful measure is one that achieves significant reduction.
(I think of botnets as not actually that hard a step for fraudsters, and fraudsters as being very determined, but it depends a lot on how much money people can make with fraud against your particular situation)
Ever wondered how free VPN services make their money? Lots of them use a portion of your traffic to proxy these types of requests.
Apple could eliminate most ad fraud that pretends to be its platforms, by generating tokens from its secure enclave for advertisers, and providing a REST API to validate the token is from a live device.
And of course, as you are in this industry, you know that Apple devices are the highest quality, valuable, converting clicks in the ecosystem.
Then again, PAT would diminish inventory, prices would rise, and people would get better, but nonetheless similar, ROI that they get today.
It is intellectually dishonest to make predictions about ROI. Nobody really knows. Bot farms, fraud, those are all red herrings. Most advertising has shitty creatives.
What stops someone from buying an Apple device and generating a zillion tokens?
Pegging the rate limiter to 100% on an old iphone is also going still give you a lot of tokens very cheaply.
Most of serious implementations have their own clocks or incremented counters, which makes tricking them very hard even for a state actor.
Then it would be easier to bot owners to just move onto your competitors, and you would have higher efficiency than them.
All "well, actually" aside, my point was, and remains... ...we could've taken some action against obvious fraud, but we didn't, because the business team didn't want their numbers to go down.