But can someone order organic traffic without the obvious avg time spent on site?

By “organic” in this context, do you mean human(oid)? Sure, you can pay humans in {low-wage country} to click all day, but it’s simpler and cheaper to write a robot that acts human by requesting all supporting files including scripts, and then acting on those scripts. Look more closely at analytics. Are they all sending in the same, highly implausible viewport size? I don’t know why they so often do this, but it sticks out like a sore thumb when you’re looking for it. Do repeat visits (same UA and IP) come through as repeats or new visits? Getting a robot to act on scripts is trivial; humanoid handling of cookies seems to be their sticking point.

Bot traffic that will look exactly like human traffic in the eyes of Google Analytics is, sadly, available cheap on several websites.

And I do mean EXACTLY like human traffic. Not one metric will give it away, not resolution, location, country, ctr, bounce, time, etc, etc... all browsers, all sources, all mediums in a believable mix. In my opinion this service renders analytics useless and it renders relying on analytics to do things like buy websites based on the traffic "proof" dangerous.

In my opinion this service renders analytics useless

I use analytics primarily as a cross-check to raw logs, rather than a primary information source. Page + analytics script + entry in analytics = robot. (Entry in analytics and-that's-all: rooooobot.) Page, followed an improbable number of seconds later by all supporting files in a swath: grounds for suspicion. Page + all linked supporting files + favicon + analytics = generally human. Page + all supporting files except favicon + analytics: oh, what the hey, I’ll assume it’s human unless I have reason to suspect otherwise. (If you’re racing through pages at the rate of one every three seconds: sorry, I don’t believe you, no matter how diligent you are about the supporting files.)

Although it’s possible for robots to display fully humanoid behavior, most of the time thankfully they don’t. I do think that analytics hosted on your own server has a great advantage over third-party programs such as GA, because then everything is subject to your own access controls. (Something that should be kept in mind by people who insist on GA and nothing else when pricing your site. Unless they’re actively seeking a site that is popular with robots.)

Bots are getting better. Even Raw Logs are starting to reveal that shift in ability.

I don't think it's only bots, it's hijacked computers too. If it were only bots you could spot them by getting a big enough sample size. Perhaps you'd spot that the same IP visits too often or that too many people came from one regional location to be likely human but no, this analytics data which is 100% bot will absolutely fool on a large scale.

How I found out it was that advanced: A site I was looking at as a possible investment had solid traffic data provided via analytics access. I figured out it wasn't human only because I noticed that the conversions(sales) were low for that level of traffic and, later, that all sales came from one buyer, the site owner.

At that point I dug into the analytics to confirm it was bot traffic and I couldn't find a single metric that gave up the jig. I also use a couple of popular sites that monitor rankings and the traffic was far too high for the rankings it had, by a factor of 50x. I flipped through metric after metric, device type, location, screen size, length of visit, bounce rate etc, etc, even the live data.... there was NO way to tell it was bot traffic by looking at analytics.

Then I found the offer for said traffic, a tiny amount of cash for thousands of fake visits(which weren't being sold as fake). That was the end of the road for me and analytics. As Lucy said it's best to just use it as a reality check or confirmation for other sources of data

I used to dislike the companies who gather google data to better compete with me, the ones we all know about who offer to sell it to your competitors, but now I use these services to confirm that my raw log traffic from search is ballpark. It would not be difficult to replace real traffic with bot traffic on an unsuspecting hacked site in 2019.

- htaccess redirecting visitors coming from search
- sending equal amount of fake search traffic to hacked site
- watching forums fill with complaints of lousy google traffic....

I have no doubt this is already happening after seeing what I saw.

Most definitely bots can appear very human like (the programmed kind as opposed to paid humans)... historically a simple bot would be a command line tool that fetches only the page, no javascript, no plugins, typically no asynchronous fetching of page assets, no canvas... generally easier to spot with a little technical knowledge.

Headless browsers and tools like Puppet for Chrome make the detection must more difficult. Rather than fingerprints of the client, you'd be better off evaluating the behaviour of it. Detecting mouse movement across the page, which direction and how quickly could be one method.

I wouldn't be surprised if there's a substantial effort of some people to try and affect bounce rate to negatively impact competitors. Some of it can be noise too, like bots trying to mitigate their footprint by visiting random places other than their target.

I wish I'd have checked to see how reliant on amazonaws the traffic was.

I wouldn't be surprised if there's a substantial effort of some people to try and affect bounce rate to negatively impact competitors.

These bad actors target far more than the bounce rate. We recently blocked about seven Amazon AWS ranges to stop bots that were landing on our homepage then searching for products not associated with our company. The reported browser was headless Chrome. Site search terms included search=adidas, search=levis, search=wrangler, and other clothing/shoe search terms that are not relevant to what we sell. After a couple days of seeing this consistently, we figured it was not some random bot and instead was a specific/targeted effort to confuse Google into thinking we sell clothing/shoes instead of the actual products we manufacture/wholesale/retail. How effective this method is in confusing Google I do not know. It's my hope that Google would be smart enough to exclude any data it gets from IP ranges associated with AWS and other hosting providers.