I had another idea to exploit this.
Small ISPs could be persuaded (with money) to let you observe their traffic with a machine that you provide. Over time you could build a large number of real google cookies (or whatever identifier they use) matched with IP addresses and then use this info to spoof surfing activity to your own sites. Once again the spoofing is mixed with the normal surfers activities making it hard to detect.
There would be no impact to users machines and so nothing ilegal would be occuring. The only cost to the ISP is a trivial amount of extra traffic.