Any sort of legal verbage like that is “of tenuous value at best.” You don't have a piece of paper with an original signature on it, let alone a notary's seal. You don't even have solid proof of who the guy is — “he” could be a ’bot in Bulgaria, for all you or your computer knows.

So, all that you can realistically do is to program the site so that it presents reasonably-conspicuous notice of your terms-and-conditions. Do it in a way that reasonably avoids “plausible denial” and then hope for the best. Make sure that the entire manner in which your website presents and treats this information is supportive of your argument that “this is valuable property.” For instance, a valuable racehorse is locked in the barn at night and there are “no tresspassing” signs posted on the fence, at the very least. “Confidential” papers are stored in a locked filing cabinet, not a newspaper stand. (It will not matter if hackers “busted the lock” and got into the barn anyway. That's breaking and entering.)

So-called “exculpatory clauses” are no good at all if you committed a tort, or if a plaintff simply claims that you did. You can't excuse yourself from wrongdoing, or argue that “they ‘agreed’ that it was okay.” Won't fly.

Standing legal principles already exist to address some things, like defacement or denial-of-service or any other sort of intentional mischief, with-or-without verbage from you. In a sales or service transaction, a web-site is a whole lot like a vending machine. But if you are trying to protect a secret or an intellectual possession, get truly qualified advice. Hire an attorney who specializes in intellectual-property law. (Believe it or not, the fact that you spent money on an attorney, and followed his advice, is further evidence that what you're seeking to protect does, in fact, have material value.)

I have no knowledge of an industry standard, but I would record the exact time when the checked POST came in and the IP address that it came from. My natural inclination is to record the time when they downloaded the terms of service document along with when they "accepted", but I suspect that would most often just prove that they had not read the document. You could also check for an instance of identd at their IP and record its response but I doubt such would be useful frequently enough to be worth spending any time to implement it.

There may be other registration data that is worth recording separately. For example, you might have in the user record in the DB such information as "name", "e-mail", "phone", etc. It might be wise to have a "user registration" record in the DB that records some of these values at the time of registration. So updating my personal info updates my user record but my registration record still records key bits about the info I used to originally register. (Note that "normal form" practices probably encourage actually making these just separate fields in one table, if there is a 1-to-1 relationship between the two sets of data, despite my referring to them as separate "records".)

If there are any checks you use to prevent "funny business", then you should also record data about those. For example, if you use a CAPTCHA, then record the string the user entered to prove that they weren't a script. If you check the IP for things like country or against a list of banned IPs, then record something that demonstrates that this check was done (which country the IP appeared to be from or the address of the server used to check for banned IPs or the "last update" date for the DB of banned IPs, etc.). If you check the user agent string, then record it.

Given the current style of using JavaScript for nearly everything including things that gain no real benefit from JavaScript (and that are usually not done quite so well that they don't break some aspects of the UI and very often break my expectations and/or desires regarding the UI), you might be able to record whether they checked the "I agree" box via a mouse click or via keyboard navigation. Okay, now I'm just being too silly. Good luck.

Acutally what I'm trying to do is protect against people chainging their tune later. Imagine someone signs up to a service and an aspect of that service - that is made very loudly clear in big red letters over the "sign up" button - is to give your personal info to someone else, or to publish your email address, or to inquire about your financial situation, or something sensitive like that.

Then, after you've done what they asked, they turn around say "I never asked you to do that. I'm suing."

You reply, "Sure you did - here's the proof, uh, um, wait a minute, I'm sure it have it here somewhere......"

I'm trying to concoct something to pull out of my hat to show.

This is not a trivial matter. Laws had to be changed to recognize a digital signature or a button press as a binding legal contract. Heck, the big news last year was that Panama finally revamped their contract laws for exactly that because without these changes e-commerce was effectively dead in Panama.

But for the lowly programmer trying to design a sign-up page and db so it serves his employer well, I've found little direction. Which surprises me - considering the pervasiveness of online sign-up forms, I half imagined that the recipe for a proof-positive electronic contract would be as well-defined a piece of industry zeitgeist as the signature is to paper by now, and to which I was the only ignorant party living in a cave. Maybe not?

So if you create an account (and record the creation date) you have a "positive recording", albeit implicit.

But I imagine I'm far from the first to wonder about this and figure someone else has worked out a better solution than mine. My solution still relies on my own recording of the form input - I could have made it up. GET submissions I suppose could be checked against server logs, but not POST.

Update - Whoah - what am I thinking - store raw input? It would have to be heavily sanitized first for security.

I know of no standard, but would record the date and/or revision number of the agreed-to terms.

This is certainly a case where law will trump any sort of explicit-or-implied contract, as law always does. And this might well be a situation where you absolutely need the advice of a qualified attorney, as expressed in a notarized letter on that attorney's letterhead. Even if that opinion costs you a thousand bucks (and it probably won't), it could save you considerably more. If you actually do get sued, this concrete evidence of “due diligence” could be priceless.

People these days are really starting to figure out how insecure this technology can be, and just how cavalier they (and perhaps we) have all been about it. You can find yourself the victim not only of a tort but of an actual felony and it's hard to say just how far the liabilities might go ... or, indeed, should go. I guess it's time we all need to sober-up, so to speak, and proceed a lot more cautiously.

I worked with one client a few years ago who, I think quite sensibly, said “if you want access to this confidential data, contact us, and we will send you a copy of our agreement. When you sign and return this document, notarized, we will issue you a revocable digital-certificate giving you auditable access to our system.” That's covering your posterior about as thoroughly as you could. But his comment made a lot of sense to me:   “if ‘the Internet’ wasn't here, this is what we would do with regard to any material of this nature. Why should ‘the Internet’ change that principle?” Why, indeed.

(INAL ... and glad of it.)