The user is sending the hash to the external server. Thus, the external server is connecting with the visitor, and *can get their IP*.
Yes, it's this I'm objecting to, the notion that by visiting a Wikimedia-run website I am unknowingly sending requests to some guy's PC. I have no problem with toolserver-based setups, such as that used on the English Wikipedia.
-Gurch