Well, I was thinking of something like storing the raw contents of the query_string (for GET) or stdin (for post) to show the value of the checkbox was passed, along with the IP address and the time. That way you could prove that this person (traceable through ISP IP logs if it ever came to that), did at this time submit this input.

But I imagine I'm far from the first to wonder about this and figure someone else has worked out a better solution than mine. My solution still relies on my own recording of the form input - I could have made it up. GET submissions I suppose could be checked against server logs, but not POST.

Update - Whoah - what am I thinking - store raw input? It would have to be heavily sanitized first for security.