A consortium of 50 hospitals is building a federated learning system to train a cancer detection model. Each hospital trains locally and sends gradient updates to a central aggregation server. (1) Describe three specific attacks a malicious hospital could execute — for each what is the hospitals goal, how is the attack implemented, and what is the impact on the global model? (2) The consortium uses coordinate-wise median instead of FedAvg. Does this defend against all three attacks? For any that remain explain why. (3) Hospitals are concerned the aggregation server could infer patient information from individual gradient updates. What technical mechanism would you implement?