I was contracted by a business to develop software that generates leads for their sales team. A few months before the project deadline, the client issued a change order that added some questionable features, namely:
mass scanning of domain names
web software and cms fingerprinting, including plugins, themes, and server type with version #s for everything
With the business being in the web security field (ssl certificate sales), I was told it was for analytics/better assisting clients with their site needs. This seemed reasonable and I continued with development.
As time progressed, It became apparent this client is actually running a fraudulent telemarketing operation. This involves making cold calls in volume and impersonating the call recipient's preexisting web hosting provider. Key to this scheme is the sales rep having technical details of the call recipient's site (ex. SSL expiration time, domain registrar, etc). These details are used to:
strategically place calls to the website owner during key expiration times
more easily impersonate their existing web host by having info that "only they would know"
Given this information and my potential liability as the developer, I voiced my concerns and stopped all development. I'm now being sued for the money paid to me prior to the change order plus the deposit I took for the change order.
Can I be held responsible for completion of software that clearly violates federal cyber law and could hold me accountable for nefarious acts being committed by the client?
TL;DR Can I be sued for refusing to complete illegal/questionable software features, knowing the buyer intends to use it for fraud?
