The webpage doesn't send IP address, your browser contacts facebook for the icon and hence sends IP address and cookies to facebook, in the same way that image hotlinking would work.
Remember it's not just IP address, but could be cookies. Facebook can set a cookie that will be stored in your browser and will be sent to facebook each time. So if your laptop moves around, then the facebook cookie follows you.
Since this is at the browser level there are browser extensions that will block this for you if you want.
The cookie issue doesn't exist for Safari users as it disables third party cookies by default. I don't know why all browsers don't do this. I've been disabling third party cookies in my browser for years and have never come across a website that it breaks. And if Apple can do it without people complaining, I'm sure Mozilla/Microsoft can too.
I prevent the IP address leak by using the Firefox addon RequestPolicy to block cross-origin requests.
I could be mistaken, but that feature only applies to the creation of cookies by third parties.
If you visit facebook.com, a cookie will be set, then later when you visit another site with a facebook widget, it WILL send that cookie that was set earlier when it wasn't 3rd party.
You can also block the widgets without the site (I log in from time to time but haven't seen a widget in a very long time). These days the like buttons are served from connect.facebook.net I believe.
Well it can be way worse than just a simple IP. When you ask for a picture your browser send a bunch of infos about you that can be dangerous because it gives a footprint.
If you want to see that go to that page ( hosted by EFF) it shows you how it can be used to fingerprint you:
http://panopticlick.eff.org/index.php?action=log&js=yes
Also there are other attacks that can be used to go even further using for example browser cache. The browser cache has a field that can be set by the server and generally is the date for the expiration of content you are asking. But... when first designed it accepts a random string, so for example an UUID... This cache cannot be cleaned with normal procedures and you are tagged without your consent.
Other techniques can be used with Flash and cookie revival has been actively performed by companies like Quantcast. (look it up on the net)
So... what Mr. Stallman has said is true to an extent that only few people know and that's a pretty big deal.
If the like button is hosted on Facebook, your browser requests it from there when you visit the page. So the site doesn't have to do anything except include an img tag with a Facebook url in it; everything else is a consequence of how the internet works.
Google Analytics creates the same problem. This is why I use server side analytics instead. I don't want to send a list of everybody who visits my website to Google.
