In pervasive computing environments, information gateways derive
specific information, such as a person's location, from raw
data provided by a service, such as a videostream offered by
a camera. Here, access control to confidential raw data provided
by a service becomes difficult when a client does not have access
rights to this data. For example, a client might have access
to a person's location information, but not to the videostream from
which a gateway derives this information. Simply granting access
rights to a gateway will allow an intruder into the gateway to
access any raw data that the gateway can access. We present the
concept of derivation-constrained access control, which requires a
gateway to prove to a service that the gateway needs requested
raw data to answer a client's authorized request for derived
information.  Therefore, an intruder into the gateway will be
limited in its capabilities. We provide a formal framework for
derivation-constrained access control based on Lampson et al.'s
``speaks-for'' relationship. We demonstrate feasibility of our
design with a sample implementation and a performance evaluation.