You are explicitly requesting it. Take a look at the params you are passing to scope. I can see when clicking the sign in with facebook button in the URI you are requesting these permissions: scope=user_likes%2Cemail
I'm sure you are doing nothing malicious, but there's no way for us to be 100% sure you aren't doing something different on production.
Studies have also shown that you should only request those permissions that are needed, otherwise you lower conversions. So you might want to fix this right away.
This is no longer true for apps created after last years F8 conference (4/30/2014, Graph API v2.0,) and I believe the deprecation schedule ends in April.. Older apps will no longer get this by default.
