This is a very interesting read from the EFF: Best Practices for Online Service Providers
(OSPs). (It's actually a PDF linked from this page.) But they're just talking to traditional Internet Service Providers like the cable and telephone companies, right? Nope, just about anyone can be an OSP:
"...virtually any website or access intermediary, not just established subscriber-based businesses, can be considered an OSP under the law. Indeed, even individuals may be 'accidental OSPs' if they set up WiFi access points to share Internet connectivity with friends and neighbors."
Because the government can subpoena any information they want from any service provider, the EFF recommends obfuscating or deleting all server logs. After all, "OSPs cannot be forced to provide data that does not exist." They even note that just "deleting" logs won't completely remove them from the disk, so they recommend complete server-log abstinence:
"The best way to protect against the risk of log artifacts on disk is to never create any user logs in the first place. This is the ideal and safest solution even though it is often impractical."
If you run a web service where people contribute data (my non-lawyer guess is that even weblogs with comments enabled count) these are definitely issues worth thinking about.