But if a session id is provided ala php (done some php programming myself) all you have to do is enter the code once on the first download, then setup your bot, and viola - tons of bogus downloads. Once the session id is provided it remains until it's scheduled to time out or as long as the bot stays online generating hits.
This is *not* an issue. Experienced programmers knows this problem and how to solve it. In this case: A user history identifies anbody downloading "to mutch". There are several solutions to decide if a downloader is a bot (some based on statistics).
As I sayed before: Details should be discussed from people involved and equiped with enough know-how. Anything other is just killing time.