2007 will see the first documented case of click-fraud blackmail. The same lightweight criminals in poorly policed countries that currently collect blackmail from mid-sized companies by threatening DDOS attacks will realize that they can get the same effect much, much easier by threatening to get AdSense publishers banned. The ransom note will go something like this: "On Thanksgiving Day, you will see hits on your home page from over 5,000 unique IP addresses that contain the unique URL of www.yerdomain.com/#payup-or-else. You will wire $2,000 to the following bank account by Dec. 15th, or else we will use 5,000 other unique IP addresses to click-fraud your account during the second half of December. Google will then freeze your Christmas profits and then ban you. If they don't ban you, they will still keep your funds. In any case, we will attack again until Google does ban you."
This is lose-lose for Google. When Google gets looser at banning publishers, then click-frauders will just use botnets to increase their bogus AdSense revenues. When Google gets tighter at banning publishers, then the truly criminal click-frauders can switch to blackmailing other AdSense publishers. In fact, a criminal AdSense click-frauder who gets banned may produce a bogus blackmail email and tell Google it wasn't their fault.
This is not a problem with a technical solution. It is a structural flaw in the CPC model itself. There is no automatic technical way to determine who the instigator of distributed click fraud attacks is. Algorithms cannot detect human intent. This is the core threat to the entire CPC model.