[jessaustin]

Intentionally increasing the attack surface of the product you deliver is not ethical. It's unlikely any developer in the situation you describe has tested the time bomb functionality well enough to exclude the possibility that an attacker could exploit it, either before or after the payment date or the cancellation patch. An aspect of the Hippocratic Oath applies here.

The case described in TFA seems better, since the developer retained possession of legitimate control mechanisms, and used those in technically legitimate ways. (That is, updating the content and functionality served at a URL is a legitimate activity that occurs regularly.) In effect he's more of an unpaid service provider than an unpaid IT contractor in this case. No one would expect their phone to keep working without paying the phone bill, and until he turns over control of the site he should be expected to use that control. It's not like he's using a backdoor here.