Good points Jnworld. I would also be interested in the answers to this is anyone knows them.

I'm sure there are many different ways they can test this. They are not going to say how for obvious reasons. My guess is a configuration of Computer ID, Cookies & IP. To be safe, I wouldn't click on any Adsense Ads from the computer where I logged on to check stats. Just my view.

jn world
welcome to adsense forum
u have raise a good point .my other concern is that
what google will
think if repeat visitor(s) click on adsense ads regularly?
recently i have seen that some of clicks do not show any amount of money.

"My guess is a configuration of Computer ID, Cookies & IP"

Cookies and IP tracking I know about, but I wasn't aware that any sort of unique Computer ID information was sent along with HTTP headers. Are you suggesting that AsSense Javascript somehow extracts a unique PC identifier (e.g. from somewhere in the registry or the ethernet adapter MAC address) and sends that to AdSense everytime anyone clicks on an ad?

If so that would be pretty worrying from a privacy viewpoint, not just for anyone running adsense, but for anyone ever clicking on an AdSense ad.

It could conceivably associate a click with a specific Google toolbar, assuming the advanced features are running.

Via cookies, Google could easily assign a computer id when Adsense ads are shown and when a user logs on to check Adsense stats. This combination would work no matter how many different IP addresses are used. Just my opinion. I would also guess that they use a type of non visible control file that will keep up with people that clear their cookies on a regular basis. I don't know how to do this, but I do believe it is possible.

Via cookies, Google could easily assign a computer id when Adsense ads are shown and when a user logs on to check Adsense stats.

It's quite easy to see that the ads server, googlesyndication.com, does not send cookies. Also, the ads server cannot read cookies set by the server the stats run on.

Could they use the MAC address of the NIC card?

Not all computers have a NIC, especially those with dial-up internet connections. Also, JavaScript cannot read the MAC address. Maybe the Google toolbar can, but I'm sure some privacy advocate would have let us know if the toolbar had been passing the MAC address 'home'.

Okay, I can state factually that you do pass the following (other than the stuff in the clearly visible javascript variables) to pagead2.googlesyndication.com when you request an ad:

dt=1094225037398
lmt=1094225037
These sure appear to be *nix timestamps, the first with some digits appended.

u_h=1024
u_w=1280
That would appear to be my screen resolution

u_ah=993
u_aw=1280
And that would appear to be the size of my viewport

u_cd=32
My color depth

u_tz=-300
My local timezone

u_his=2
This seems to be a click trail on the site. Every page I load another page on the same site, this increments. So if this was set to 9, I'd be nine clicks into the site, etc. This caught me by surprise somewhat.

u_java=true

No surprise here, just a flag showing I have had my morning coffee. I mean that I have my JVM turned on.

My analysis:
So in response to the original question posed in the thread: "How does Adsense know who's clicking?" This should shine some light, at least in terms of what inputs they have available to use in a fraud detection algo. I make no claims to know anything about much of anything, but you can surmise that it's unlikely that two random occupiers of the same IP address drawn from a dialup pool would have the identical window sizes. I'm sure they do time correlation, since they're bothering to collect those timestamps (with what appears to be millisecond resolution on the first one).

Taking a brief stroll through show_ads.js shows there's a couple more potential user data items to send, u_nplug and u_nmime, which get set to the length of a couple arrays belonging to the navigator object. Getting to google_show_ad(), there's a bunch of things I don't typically see passing by. Quite possibly these are in place for premium publishers. The quick list:

hl language
gl country
gr region
gcs city
hints hints! how intriguing is that? Again, I'm recalling Jenstar's comments that this may be a premium publisher feature.
adsafe?
oe encoding
num_ads seems to get set to w.google_max_num_ads, prehaps a constant defined elsewhere?
adtest probably set to true for you lucky beta participants

okay hold on to your hat for these...
kw_type
kw
in my case, these aren't getting sent, but I imagine tremendous insight could be gained if you could sniff and see these for your site...

num_radlinks?
max_radlink_len?
rl_filtering?

I saw the values of these by taking a sniffer trace (of myself, on my desktop machine, accessing my own site, for all you privacy fiends). It would be real intriguing to look at the same for someone who has the "persistent mis-geotargeting" syndrome. See if those location-oriented fields are getting set somewhere, at the site level or page level, etc.

I'm pretty sure this is all in bounds for discussion here, I hope so anyhow, 'cause it's real interesting.

jnworld asked also in the original post:

are they much, much smarter than I am (which is quite possible!) and have a failsafe method of accounting?

If you'll permit me to speculate, I bet that analysis of patterns in the stuff that's always getting sent raises some sort of flag--then additional things can be set ad hoc at the plex when its necessary to peer more deeply into a situation. That's just my hypothesis for "why so many variables set to null?" so take it or leave it.

Nice work, linear.
adsafe: may be related to Adsense not showing ads on pages with certain subjects because of possible embaressment.

Wow, linear . . . I stand in awe, Nice detective work.

And reassuring, too, given the number of people posting here who claim to get booted out of Adsense for no reason. Even with all those controls, though, it'd still be possible to get booted from the program through no fault of your own. All it would take is a malicious competitor clicking repeatedly on your ads. Google would have to pull the plug on you, even if it wasn't your fault. So no matter how good their click fraud algo is, it's always going to be risky to rely on Adsense as a primary source of income.

Great detective work! Are you related to Sherlock?